Agenda
UKGI00044334
UKG100044334
@
POST OFFICE LIMITED
Meetin Audit, Risk & Compliance
Committee
Date: 28 September 2021
Time: 09.00 - 11.30
Location: 1.19 Wakefield, Finsbury Dials, 20
Finsbury Street, London, EC2Y.
9AQ / Microsoft Teams
Present: Invited Attendees:
Carla Stent (Chair)
Mark Siviter (Product Portfolio Director - Mails, PUDO, Retail
& Government Services): Item 2.5
Tom Cooper (NED, UKGI)
Andy Kingham (Franchise Partnering Director): Item 2.5
Zarin Patel (NED)
Tony Jowett (CISO): Item 3.3
Ken McCall (sID)
Nick Beal (Network Performance Optimisation Director): Item
4
Regular Attendees:
Zdravko Mladenov: Item 4
Tim Parker (Group Chairman)
Jeff Smyth (Group Chief Information Officer): Item 4
Nick Read (Group CEO)
Matt Taylor (Data Governance Lead): Item 4
Alisdair Cameron (Group CFO): Items 2.3, 2.4
Andy Bear (Lockton insurance broker): Item 6
Ben Foat (Group General Counsel): Item 8
Tom Lee (Group Financial Controller): Items 5, 6, 10
Andrew Paynter (Audit Partner, PwC)
Sarah Allen (Senior Manager, PwC)
Christine Kirby (Head of Financial Accounting and Controls):
Items 5 and 10
Peter Mitchell (Group Treasurer): Items 6, 9.2
Rosie Clifton (Manager, PwC)
Sally Smith (Money Laundering Reporting Officer and Head
of Financial Crime): Item 7
Johann Appel (Head of Internal Audit): Items 3.3, 5
Sarah Gray (Group Legal Director): Item 8
Mark Baldock (Head of Risk): Item 3.1
Barbara Brannon (Procurement Director): Item 9
Jonathan Hill (Compliance Director): Item 3.2
Sarah Kelleher (Senior Assistant Company Secretary)
Carol Murray (Deloitte Partner)
Apologies:
Join Microsoft Teams Meeting
Conference Il
Pin (if applicable): {"“¢a
jom, London (Toll)
Time Item Owner Action
09:00 I 1. Welcome & Conflicts of Interest Chair Noting
09:05 I 2. I Previous Meetings
21 Minutes (29' June 2021 and 26" July Chair Approval
2021)
2.2 I Action List Chair. Noting
2.3 Draft Risk and Compliance Al Cameron Noting
Committee Minutes (14 September
2021)
2.4 Supply Chain Action Update Al Cameron Noting
2.5 Mails Deep Dive and Dangerous Mark Siviter & Noting
Goods Compliance Action Update Andy Kingham
09:25 I 3. Risk, Compliance and Internal Audit Updates
1
Strictly Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
1 of 212
Agenda
@
POST OFFICE LIMITED
UKG100044334
UKG100044334
2 of 212
09:25 3. Risk Report & Dashboard Mark Baldock Noting &
- Strategic Risk Management Discussion
Review Update; Noting (for onward
- Risk Appetite Statements: submission to the
Legal, Technology, People and Board)
Operations
09:40 3.2 Compliance Update Jonathan Hill Noting
09:50 3.3 Internal Audit Update Johann Appel & Noting
Tony Jowett
10:00 I 5 minute break
10:05 I 4. Postmaster Management Information Update Nick Beal, Noting
& Data Governance Framework Update Zdravko
Mladenov,
Jeff Smyth &
Matt Taylor
10:25 I 5. Postmaster remuneration - 3rd party Tom Lee, Noting
assurance Christine Kirby,
Johann Appel
10:35 I 6. Corporate Insurance Renewal Andy Bear, Peter Noting and
Mitchell & Tom Approval
Lee
10:45 I 7. Whistleblowing Policy Interim Review Sally Smith Noting
10:55 I 8. Legal
8.1 I Legal Risk Review (non-GLO/ Starling) Ben Foat & Presentation
Sarah Gray
8.2 I Contract Management Framework Ben Foat & Presentation
Controls Sarah Gray
11:05 I 9. I Procurement Governance & Compliance
9.1 Procurement Governance & Barbara Brannon Noting
Compliance
9.2 Bulk Cheque Clearing Account Barbara Noting and
Brannon/ Peter Approval
Mitchell
11:15 I 10. I Update on Annual Report and Accounts Tom Lee & Update
- Timeline Christine Kirby
-__ Action points for progress
11:25 I 11. I Any other business All
[Items for Noting
2
Strictly Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
Agenda
@
POST OFFICE LIMITED
UKGI00044334
UKG100044334
These items will not be presented to the Committee and any questions should be sent to
the Secretary for
submission to the author for response. Questions and answers will be recorded as appendices to the meeting
minutes.
1. Post Office Insurance ARC Update Amanda Bowe &
Tan Holloway
2. Modern Slavery Action James Scutt &
Amanda Jones
3. Committee Forward Plan Secretary
Items for approval via Written Resolution
signed by members prior to the meeting. Any questions relating to these items should be
for submission to the author for response.
These items will not be presented to the Committee and approval will be sought via Written Resolution to be
sent to the Secretary
1. Policies for Approval: Jonathan Hill
Summary Paper
HMRC Fit & Proper
Law Enforcement Policy
Approval
Next ARC Meetings:
* Ordinary meeting: Tuesday 30'* November 2021 at 09:00 - 11:30
in 1.19 Wakefield, Finsbury Dials, 20 Finsbury Street, London, EC2Y 9AQ / Microsoft via Teams.
Strictly Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
3 of 212
Tab 2.1 Minutes (29th June 2021 and 26th July 2021)
UKGI00044334
UKGI00044334
4 of 212
MINUTES OF A MEETING OF THE AUDIT, RISK AND COMPLIANCE COMMITTEE OF
POST OFFICE LIMITED HELD ON MONDAY 26*" JULY 2021 AT 20 FINSBURY STREET,
LONDON EC2Y 9AQ AT 09.00AM (VIA CONFERENCE CALL)?
Present:
Invited Attendees:
Carla Stent (Chair)
Dan Zinner (Group Chief Operations Officer): Item
3.1 (DZ)
Tom Cooper (NED, UKGI) (TC)
Zarin Patel (NED) (ZP)
Ken McCall (SID) (KM)
Regular Attendees:
Saira Burwood (Head of SPO): Item 3.1 (SB)
Angela Williams (Interim Chief People Officer): Item
3.2 (AW)
Helen Rhodes (People Shared Services Director):
Item 3.2 (HRh)
Prashant Sagar (Deloitte): Item 3.4 (PS)
Tim Parker (Chairman, POL) (TP)
Nick Read (Group Chief Executive Officer) (NR)
Alisdair Cameron (Group CFO) (AC)
Dave Darracott (Deloitte): Item 3.4 (DD)
Sally Smith (Money Laundering Reporting Officer &
Head of Financial Crime): Item 5 (SS)
James Scutt (Head of Customer
Strategy & Deployment): Item 6 (JS)
Experience
Ben Foat (Group General Counsel) (BF)
Andrew Paynter (Audit Partner, PwC) (AP)
Amanda Jones (Group Retail & Franchise Network
Director): Item 6 (AJ)
Amanda Bowe (Post Office Insurance ARC Chair):
Items 7 & 8 (AB)
Sarah Allen (Senior Manager, PwC) (SA)
Rosie Clifton (Senior Manager, PwC) (RC)
Ed Dutton (Post Office
Director): Item 7 & 8 (ED)
Tan Holloway (Post Office Insurance Director of Risk
& Compliance): Items 7 & 8 (IH)
Insurance Managing
Johann Appel (Head of Internal Audit) (JA)
Mark Baldock (Head of Risk) (MB)
Tony Jowett (Chief Information Security Officer):
I Item 9 (TI)
Jeff Smyth (Group Chief Information Officer): Item
9 (QS)
Jonathan Hill (Compliance Director) (JH)
Sarah Kelleher (Senior Assistant Company
Secretary) (SK)
Russell Hancock (Supply Chain Director): Item 10
(RH)
Veronica Branton (Company Secretary) (VB)
Hugo Sharp (Deloitte Partner) (HS)
Apologies:
N/A
Action
1. Welcome and Conflicts of Interest
1.1
A quorum being present, the Chair opened the meeting and noted that
participation was solely by conference call given the current Government
guidance on home working. However, given the requirements of the
1 participation in the meeting was entirely via Microsoft Teams from participants’ personal addresses. In such
circumstances the Company’s Articles of Association (Article 64) require that the location of the meeting be
deemed as the chair’s location. However, it was not deemed appropriate to record personal addresses on the
Company record. As such, the Registered Office is recorded as the meeting location.
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
Tab 2.1 Minutes (29th June 2021 and 26th July 2021)
Po!
OFFICE]
POST OFFICE LIMITED
UKG100044334
UKG100044334
Company’s Articles of Association, the location of the meeting was agreed
to be the Company’s Registered Office.
1.2
The Directors declared that they had no new conflicts of interest in the
matters to be considered at the meeting in accordance with the
requirements of section 177 of the Companies Act 2006 and the
Company’s Articles of Association.
Previous Meetings
The minutes of the meetings of the Audit, Risk and Compliance Committee
(ARC) held on 18" May 2021 were APPROVED and AUTHORISED for
signature by the Chair. The minutes from the ARC meeting held on 29
June 2021 were still under review and would be carried over to the next
scheduled ARC Meeting.
2.2
Progress against the completion of actions as shown on the action log was
NOTED as follows:
Action 1 from 27 July 2020 (para 4) and 27 September 2020 (para 6.4)
Pensions Assurance:
Angela Williams addressed progress made so far on this matter at the end
of Section 3.2 - Risk Appetite Statements: People as follows: PO was now
in frequent dialogue with trustees, who had sent over their requests and
demands. PO was reviewing these and are likely to reject some of them.
The active dialogue has momentum, but progress to meet the deadline in
March 2022 was slow. The Chair noted that this matter had been elevated
to Board level given the potential financial impact. Angela Williams stated
that if the ARC wanted a separate update, the People team would be happy
to give one, but she recommended that this action be closed, and
the People team would flag any future issues.
Action 20 from _18 May 2021 (para 3.2) - Operational Risk Appetite
Statements (network availability):
Mark Baldock reported that Tom Cooper had requested that network
availability be separated into long and short-term appetite. This had been
done and work was now being completed to incorporate this change into
the dashboard.
The Action remained open and was rolled over to the September 2021
ARC.
Action 28 from 18 May 2021 (para 8) - BEIS White Paper (subsidiary
reporting):
Alisdair Cameron agreed with Andrew Paynter’s team at PwC, that the POL
subsidiaries weren’t big or important enough to be reported on separately,
it was only a Group review that was required.
The Action was closed.
MB
2.3
The draft minutes of the Risk and Compliance Committee held on 13°" July
2021 were NOTED.
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
5 of 212
Tab 2.1 Minutes (29th June 2021 and 26th July 2021)
6 of 212
POST OFFICE LIMITED
UKG100044334
UKG100044334
Risk, Compliance and Internal Audit Updates
Risk Update (including Transformation Office Update)
Mark Baldock introduced the paper, which had been circulated previously
and was taken as read. Mark Baldock presented the Risk Update, and Dan
Zinner and Saira Burwood presented the Transformation Office Update.
The Risk Update focused on the top-down risk assessment approved in
the 18 May 2021 ARC meeting. It was underpinned by the bottom-up risk
assessment. Mark Baldock’s intention in the September ARC paper was
to show how appetite worked against the risk set. Given the nature of the
risks, the risk mitigations were likely to be long-term, so the committee
wouldn't see a week-on-week decrease in risk ratings. It was noted that
the control to manage the inherent risk in the interim were important. The
POL Board strategy days on 27 and 28 July 2021 would be a key input into
this work, as the priorities decided there would fold back into the risk data.
Mark Baldock highlighted the following key risks to the business:
- The reduction in footfall at PO branches as the market shifts to
digital, reinforcing the trends seen in younger people. The Amazon
trial and PUDO were part of the mitigation for this risk, but the PO
needed to get a better feel for the output on these trials.
- Low value non round (LVNR) transactions: Alisdair Cameron stated
that the PO have been in sustained conversations with the banks
about the Postmasters erroneously putting transactions through as
cash withdrawals to increase remuneration, although transactions
are, in the main, legitimately made. This arises out of the fact that
sub-£20 transactions are not charged for withdrawal. The PO
thought that the scale of this may have been overplayed by the
banks. AML and LVNR transactions were a focus for the banks in
Banking Framework 3 discussions. Mark Baldock will liaise with
Martin Kearsley and circulate a note on this matter.
- Mark Baldock reported that risk around AML was at level six, just
outside a risk-averse appetite of level five. This is thought to be a
short term position, reflecting improved reporting and does not
mean that the Post Office is non-compliant. The Committee will
continue to monitor this, especially as cash volumes increase.
Further points were made by the Committee as follows:
- The ARC discussed the low take-up of mandatory compliance
training. Jonathan Hill stated that within branches, the policy was
to turn off access to Horizon until compliance training had been
completed, which generally resulted in the issue being resolved,
but that there weren’t sufficient penalties in place in the head
office. Jonathan Hill was working with HR to change the culture
round this.
- The board discussed concerns around the FCA’s view of the PO in
terms of regulatory requirements. The PO was firm that regulation
should sit with the banks, as it was the banks that had the primary
MB
MB
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
Tab 2.1 Minutes (29th June 2021 and 26th July 2021)
Po!
OFFICE]
POST OFFICE LIMITED
UKG100044334
UKG100044334
relationship with the customers, and therefore needed to be held
ultimately responsible for any banking transactions.
Johann Appel raised the issue of fraud that the bottom-up risk
register was starting to highlight and stated that there needed to
be increased visibility around fraud risk, and a person needed to
be nominated to take responsibility for this. Mark Baldock agreed
to address this.
Dan Zinner and Saira Burwood reported on the Transformation Office
update. Saira Burwood updated the Committee as follows:
The four key areas of focus in the update were: (1) transitioning
our control framework onto ServiceNow; (2) wider business
education; (3) resourcing; and (4) benefits and forecasting.
The SPO Control Framework had been successfully transitioned into
ServiceNow.
The number of stand-alone SPO controls had decreased to 43.
The first round of attestations had been completed and 40 out of
the 43 SPO controls were deemed effective.
The induction process was being refined so that new joiners would
know how to deliver change.
Looking forwards, it was important to make sure that the changes
being worked on were fully understood and embedded across the
PO.
Mark Baldock stated that they were aiming to have finished the
rollout on SPO controls, finance and IT by September/ early October
2021. These would be included in the GRC tool and enable
automated reporting.
It was noted that the forecasting and benefits processes and related
reporting were still maturing. This area remains a key focus.
Looking forwards, the four key areas of focus for the Transformation
Office would be: (1) planning and dependency management; (2)
business change; (3) longer-term change workforce planning; (4)
inflight assurance.
Further points were made by the Committee as follows:
Zarin Patel commented that the ARC had seen a lot of issues around
IT in the last few months and asked for an update. Dan Zinner
replied that for larger issues like SPM, the focus was on third party
assurance. A project gamekeeper was needed to facilitate
communication between external parties and the PO - especially for
the larger programmes.
Ken McCall noted the perception (in the report) that relationships
between the stakeholders and the PO were declining, and balanced
this against the PO moving closer to resolving funding of the
Postmaster dispute with the help of UKGI and BEIS. Tom Cooper
agreed and Mark Baldock undertook to review the risk rating.
The Committee NOTED the risk update.
MB
3.2
Risk Appetite Statement: People
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
7 of 212
Tab 2.1 Minutes (29th June 2021 and 26th July 2021)
8 of 212
Po!
OFFICE]
POST OFFICE LIMITED
UKG100044334
UKG100044334
Angela Williams and Helen Rhodes introduced the paper, which had been
circulated previously and was taken as read. The People team had
reviewed their risk appetite and the risk structure across the PO, including
head office and branches. Tier 1 People risks had been identified as Talent
and Capability, Culture and Brand and Organisational Readiness, with risk
mitigations set out in the paper. There were concerns that if these risks
were not addressed, they would start to impact the wider business.
Angela Williams went into further detail on the Tier 1 People risks:
- Talent and Capability: ensuring the PO can attract, retain and
motivate top talent, especially around digital, technical and mail
skills and driving forwards the diversity and culture agenda.
- Culture and Brand: ensuring that there’s a clear narrative and
employer brand in place, and that the PO can retain the current
workforce, particularly within the context of rebuilding POL’s
reputation. The People team were working with Dan Zinner’s team
on putting the Postmaster promise in place, and engaging in Project
Starling.
- Organisational Readiness: addressing the return to the workplace,
especially for the induction of new joiners, meetings and work that
can best be carried out in the office, and the optimisation of hybrid
home/office working.
Tier 2 risks included ensuring Project Starling progressed and getting the
right target and reward structures in place.
Further points were made by the Committee as follows:
- The scarcity of digital and tech skills in the jobs marketplace, and
the need to make the PO a more attractive prospect for digital
workers was discussed by the ARC. Angela Williams stated that the
priority should be to have the right tech talent in place for the SPM
programme and the mails digital strategy. Helen Rhodes
commented that the PO would have to be flexible with its reward
strategy to ensure a good outcome in recruiting tech talent. Ken
McCall requested enhanced transparency from the People team on
this process. Angela Williams noted that the Digital Talent Strategy
is part of the overall People Strategy, and Angela would pick this
point up with Ken McCall separately as part of her regular updates
to him,
- Zarin Patel raised the subject of mental health and wellbeing within
the workplace and said that she would like to see this picked up in
the risk register. Angela Williams confirmed that a survey was
being carried out on this, and that the People team were working
closely with Health and Safety on the return of PO employees to the
workplace, and would reflect this in their next update. Updates
could be given as part of the FOTW strategy, which is being
AW/
HRh
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
Tab 2.1 Minutes (29th June 2021 and 26th July 2021)
UKGI00044334
UKGI00044334
managed at GE level. Updates could also be given to ARC, but the
People team needed to discuss with Al Cameron whether this should
sit with Angela or with Health and Safety, which is currently
overseen by Al Cameron/HSE. The People team were working
closely in order to mitigate current risks.
- Nick Read commented that significant progress had been made
against the HSS and interim payments aims, which was shoring up
the PO brand. From a consumer rather than an EVP perspective,
the PO brand had not been unduly damaged. In terms of IT, the
PO had outsourced this for the last ten years, and needed to build
a legacy team to take care of the existing framework until at least
2024/5, and a transformation team to shape future IT.
- Tom Cooper was struck by the point on the lack of employees who
understood existing processes, and asked whether it was too late
to focus on this. Angela Williams noted that regarding existing
processes, there were people who understood current processes,
but they were trying to run and fix the business at the same time
and there weren’t enough of these employees in place. However,
these employees had long tenure, and were not looking to move at
present. Nick Read thought this was an optimistic assessment. The
issues in mails came from both Fujitsu and Royal Mail having
developed functions, and the PO having to work out how to overhaul
this area. The PO were reviewing the skills in the commercial
function and seeking to recruit a new director in to assist with
banking. The mails business was a greater cause for concern and
would be discussed in the Board meetings.
- Tom Cooper expressed surprise regarding the mention of lack of
diversity at the PO. Angela Williams stated that there was a clear
EDI structure in place; the male/female balance was not such an
issue, but the PO was poor on ethnic diversity at a senior level. The
People team had held three days of DNA profile building last week,
and had discussed how to place this at the front of everyone’s mind,
as the diversity of thought and experience was not strong at senior
and mid-levels.
The Committee agreed that this was the biggest risk facing the running of
POL and agreed to keep it under regular review over the next 2-3 years.
The Committee APPROVED the Risk Appetite Statement: People update.
AW/
HRh
3.3
Compliance Update
Jonathan Hill introduced the paper, which had been circulated previously
and was taken as read.
- There was an elevated focus on controls, assisted by these now
being recorded in ServiceNow.
- The next area for consideration was the controls in operations. Tim
Perkins’s team would implement their controls structure to meet
the framework by the end of summer, then the controls would be
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
9 of 212
Tab 2.1 Minutes (29th June 2021 and 26th July 2021)
UKG100044334
UKG100044334
10 of 212
rolled out into the wider business, depending on funding and
capacity,
- Jonathan Hill noted that conversations with the FCA regarding
regulation need to be very carefully managed to avoid extra
regulatory burdens being placed on the PO. Jonathan Hill’s team
had responded very firmly to the FCA on Friday 23 July 2021 stating
what the PO’s position on this. PO needed to ensure that the FCA
appreciated that the banks retained this regulatory responsibility.
Further points were made by the ARC as follows:
- Tom Cooper asked if Jonathan Hill was in contact with Treasury
about the PO's discussions with the FCA. Nick Read confirmed that
he had spoken with Gwyneth Nurse at HM Treasury and made the
burden of potential increased regulation on the PO very clear. The
PO and the Treasury were agreed as to the positioning.
- Ken McCall raised the subject of compliance training. Jonathan Hill
informed the Committee that there was a robust system in place to
ensure compliance training was completed at branch level, but
completion of compliance training at head office level did not match
this. At head office level, Jonathan wanted to make completion of
compliance courses part of employees’ objectives and success
factors, start a recognition programme for employees who were
doing well in this area and raise the profile of the positive benefits
of compliance to the business.
- Ken McCall requested that Nick Read pick up regulatory training at
senior levels of the business to improve transformational change in
this area from the top down. It was advised that Angela Williams
be asked to diarise time for senior management to complete their
compliance training.
The Committee NOTED the Compliance Update.
NR/
AW
3.4
Internal Audit (IA) Update
Johann Appel introduced the paper, which had been circulated previously
and was taken as read.
David Darracott, technical director in the Deloitte Risk Advisory team, and
Prashant Sagar, manager at Deloitte gave an overview of the key findings
from their review of the SPM project in May/June 2021:
- Governance: Deloitte suggested implementing a key gating process
to align with the change excellence programme, to make sure that
no point of progress was missed.
- Regarding financial and commercial estimates, Deloitte suggested
documenting the consideration of other potential options and
measuring the cost of doing nothing against taking action, in order
to better evaluate the contrast between the alternative options.
- From a solutions assurance perspective, interviews with strategic
partners and gap formal interactions with Postmasters could be
improved.
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
Tab 2.1 Minutes (29th June 2021 and 26th July 2021)
UKG100044334
UKG100044334
David Darracott stated that all Deloitte’s recommendations had been
taken on board and the Internal Audit team were tracking progress.
In response to a question from the committee, Johann Appel believed that
Deloitte had presented a proposal for continued assurance that was still
being finalised. The Internal Audit plan also catered for a second phase
review of progress that had been made, how the programme had been set
up to go into delivery mode, and activities by the SPO.
The Committee discussed the following points:
- Ken McCall asked why it had been decided not to rate the audits,
such as in the SPM programme. Johann Appel stated that the report
in the pack was from very early in the life cycle of the programme.
David Darracott continued that the problem with rating these
assessments was that people then tended to focus on critical areas
rather than an overview. The Chair added that rated reports were
usually measuring compliance with policies and frameworks but
assurance reports provided an opinion. The Chair requested that
Johann Appel clarify what further assurance was planned for the
SPM project.
- The ARC then discussed the ATM strategy. It was noted that the
programme team had focussed on resourcing and getting a
mitigation in place. Tom Cooper expressed concern that it was
taking this long, as the Banking team had been talking about taking
over the ATM strategy from BOI for two years. Nick Read confirmed
he would investigate further and report back to the Committee.
- The Chair asked Nick Read about the HIJ improvement plan in terms
of managing the challenges around Fujitsu, such as alternative
solutions like bringing this work in-house, and recruitment at
branch level. Nick Read confirmed he would investigate further and
report back to the Committee.
- Johann Appel noted the overall results from last year’s Internal
Audit programme and stated that trends were positive. There had
been a reduction in average numbers of findings per audit and
improvements in controls, change controls and change delivery.
The report turnaround time had improved to be within the target
set at ARC level, and reporting time was now running at 17 days on
average, which was much better than the last few years.
The Committee NOTED the Internal Audit Update.
JA
NR
NR
Internal Audit Charter
Johann Appel introduced the paper, which had been circulated previously
and was taken as read. Johann confirmed that most of the changes
related to reformatting the audit charter and clarifying audit independence
thresholds.
The Committee APPROVED the Internal Audit Charter.
Anti-Bribery & Corruption Annual Report & Policy Review
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
11 of 212
Tab 2.1 Minutes (29th June 2021 and 26th July 2021)
UKG100044334
UKG100044334
12 of 212
Sally Smith introduced the paper, which had been circulated previously
and was taken as read. Work had been done to enhance donations and
charity aspects, and to get Gifts and Hospitality controls in place.
The Committee discussed the following points:
- The Chair queried the ABC position for Payzone. Sally Smith stated
that because Payzone was a small company, the ABC controls were
effective, even if they weren’t as strong as the PO would like them
to be. Payzone were starting to implement enhanced controls. The
wording had been changed to state that the ABC policy was a Group
policy, and Payzone had adopted this Group policy.
The Committee NOTED and APPROVED the Anti-Bribery & Corruption
Annual Report and Policy Review
Modern Slavery Statement (MSS)
Amanda Jones and James Scutt introduced the paper, which had been
circulated previously and was taken as read. The Committee was asked
to consider and, if appropriate, recommend the approval of the PO Modern
Slavery Statement (MSS) and commitments for this financial year to the
Board. Amanda Jones was pleased by the progress that had been made
on this in the last few years. There had only been a few ‘yes’ flag
observations.
The Committee discussed the following points:
- Zarin Patel queried the report looking at a minimum of 10 suppliers,
and asked how they were selected, and was 10 enough. James
Scutt replied that the suppliers were selected on a risk-based basis,
and that 10 was a good number at this stage. Zarin Patel requested
a case study similar to what was included in the observations for
next year’s MSS. James confirmed he would effect this.
- James Scutt noted that the pie charts in the report covered the
supplementary questions relating to branch set-up. The team were
to flag unusual behaviour such as people who were shying away
from positions of authority, who were tentative about making
contact, and whose demeanour suggested they were working very
long hours or living in less-than-ideal conditions.
- Amanda Jones informed the board of an ongoing potential Modern
Slavery case involving an individual who lived above a Post Office
shop. A Modern Slavery response had been convened, an
organisation called Unseen UK, who the PO were looking to partner
with, had been notified as first responders, and the local authority
would be contacted, if appropriate. POL’s obligations ended at the
point of notification to Unseen UK to ensure that no police
investigations would be disrupted.
The Committee agreed to RECOMMEND that the Modern Slavery
Statement be APPROVED by the Board for publication on the PO’s
website.
js
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
Tab 2.1 Minutes (29th June 2021 and 26th July 2021)
UKG100044334
UKG100044334
Update from Subsidiaries: verbal update
Post Office Management Services (ARC)
Ed Dutton and Ian Holloway delivered a verbal update on Post Office
Management Services. COVID had had a significant impact on the
profitability of the travel industry, which had affected POM, as travel
insurance was their biggest product. However, the business had managed
the move to remote-working effectively, and had launched a new
proposition, which was noted as household. Service at POM had been
broadly maintained, with a focus on cashflow and costs. POM was
forecasting a £1m loss. POM’s risk profile had improved.
Two significant events had taken place in the last year, first, a significant
cyber-attack, which had been handled via a good response from Group
IRS with the POM teams. Secondly, there had been an error in pricing on
aggregators and price comparison websites. This had been promptly
identified and rectified, and controls had been strengthened to prevent a
re-occurrence of the pricing error. The focus was now on maximising
recovery as Covid restrictions were being relaxed.
Ian Holloway reported that at present, trading was steady, and the budget
was well-planned going forward. It had been a challenging year, but POM
had risen to the occasion, and had delivered whilst minimising risks. Risk
had been halved in the cashflow, reducing the negative impact on goodwill
balances. Good progress had been made in addressing complaints and
this area would remain a focus for the 2"! LOD. Further resourcing had
yet to be applied to the complaints area.
The Chair noted that this likely to be Amanda Bowe’s last meeting and
noted our thanks for the work she has done over the last 6 years.
The Committee NOTED the Post Office Management Service’s verbal
update.
Post Office Insurance Deep Dive
The Committee NOTED the Post Office Insurance Deep Dive paper.
IT Controls Deep Dive
o1
Jeff Smyth and Tony Jowett introduced the paper, which had been
circulated previously and was taken as read.
Tony Jowett referred to the plan for improvement on page 4 of the IT
Controls Deep Dive paper in the board pack. The plan was being delivered
in a series of phases:
- Phase 1: ‘Pipe-cleaner’ IT controls activity and roadmap
development - this phase had been completed.
- Phase 2: Building IT controls foundations - Tony stated that this
phase formed the bulk of building the platform, training employees
to use it and remediation of HIJ issues. The controls were running
in SNOW, and the Traction platform would be decommissioned by
the end of September 2021.
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
10
13 of 212
Tab 2.1 Minutes (29th June 2021 and 26th July 2021)
14 of 212
Po!
OFFICE]
POST OFFICE LIMITED
UKG100044334
UKG100044334
- Phase 3: Optimise, embed and continuous improvement - this
phase was about project maturity. Tony Jowett estimated that it
would take 6-12 months to embed the system.
In a recent review of the self assessment, only 5 controls were found not
be effective as result of reliance on 3 party suppliers to provide the
evidence. Feedback had been given that SNOW added clarity. The next
step would be to put the remainder of the controls in place and get the
target operating model built in order to include a strong second line of
defence, so that controls could be matured more effectively.
The Committee discussed the following points:
- The Chair asked about the effectiveness of Cobit-5 as a framework
against which to assess maturity of controls and about the controls
that were not effective in the recent self-assessment. Tony Jowett
stated that there were a number of frameworks but that the team
had more experience working with Cobit-5.
- Zarin Patel queried the aim of having the system embedded within
6-12 months. Jeff Smyth agreed that it might take longer than this,
and would have to fit with the broader culture embedding process.
On an individual level, Tony Jowett was going to take on a broader
role, and recruitment had started for roles to help strengthen the
second line of defence.
- The Chair noted that the paper indicated that Fujitsu were pushing
back failover tests. Jeff Smyth reported that there had been a
marked drop in Fujitsu’s receptiveness to changes, and rollout of
work. However, Fujitsu had tested a lot of the environmental
factors but resourcing had been impacted by incidents of Covid and
local parades. On this basis, the PO had released Fujitsu from the
obligation of the July tests. Fujitsu were ready to run the tests in
August, but there were some internal priority issues for POL and
Accenture. The tests were now scheduled in for September, and
with Verizon for 13-15 August. More people needed to be found
internally in the PO who could participate in tests during the
weekends.
- At the Chair’s request, Jeff Smyth confirmed he would assess the
cookie settings on the PO website. The Chair stated that equal
weightings were needed for the ‘yes’ and ‘no’ options for accepting
cookies. 3s
The Committee NOTED the IT Controls Deep Dive paper and update.
10. Supply Chain Controls
10.1 Russell Hancock introduced the paper, which had been circulated
previously and was taken as read.
Alisdair Cameron noted that there were some big decisions to be made in
the future around Swindon and the PO’s likely refusal to join a UK cash
facility. He further commented on two issues that had been revealed:
STRICTLY CONFIDENTIAL 11
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
Tab 2.1 Minutes (29th June 2021 and 26th July 2021)
POST OFFICE LIMITED
UKG100044334
UKG100044334
- It had been discovered that some CCTV was not being managed by
the PO IT Function/ Data Protection scheme. This had been
resolved.
- Acompliance issue had occurred with the Bank of England resulting
in a deficit to them of £120. The PO had worked hard to rectify the
controls in this area, but, despite the small absolute amount, the
variance still showed that there are some ineffective controls.
He noted that a number of the controls were still manual but that the
teams were taking the matters very seriously.
Russell Hancock highlighted the following issues:
- Servers relating to digital CCTV systems present at five sites not
under IT management that were not supported. At one site, where
the networks had been exposed, this had been closed, and a virus
scan completed.
- Routers provided by third parties, where the password was not
encrypted. This had now been rectified. In response to a question
from the committee, it was confirmed that there had been no loss
of personal data.
- Mobile Post Office compliance issues with daily vehicle checks and
reports not being logged. Recruitment was in progress for an
employee to look after the mobile fleet, and digital tools were being
designed to update daily tasks.
The Committee discussed the following points:
- The Committee agreed that the mobile fleet should sit under the
supply chain network. Russell Hancock stated that he would be
happy to give a further update in three to four months on this
subject.
The Committee NOTED the Supply Chain Controls update.
RH
11.
AOB
11.1
The ARC discussed the growing importance of ESG within the wider
business environment:
- Tom Cooper stated that this was a focus for government due to the
upcoming COP26, where all partner organisations would be asked
to report on how to achieve a net zero carbon target, which would
be based on the entire supply chain, as well as self generated
emissions. At this stage, most organisations were unlikely to have
a plan for this, not least because it requires a huge amount of work.
The onus was likely to be on organisations to understand the issues
and look at their supply chains.
- Alisdair Cameron noted that the topic of ESG had been discussed at
GE level a few weeks ago, and the areas where the PO were looking
to deliver were considered. The challenges to implementing ESG-
friendly practices at the PO were likely to be related to budget, for
example, replacing supply chain vehicles with electric vehicles
would be very expensive.
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
12
15 of 212
Tab 2.1 Minutes (29th June 2021 and 26th July 2021)
Po!
OFFICE]
POST OFFICE LIMITED
UKG100044334
UKG100044334
- Ken McCall stated that it was vital to maintain contact with the
people in the supply chain. It was important to the PO brand to
understand how to manage ESG and what actions could be taken
to effect ESG goals by the PO.
- Nick Read agreed that from the brand point of view, the PO needed
to run a diagnostic phase before starting a planning phase, and this
should be brought to the Board’s attention.
There being no further business, the meeting was closed at 11:30am.
12. Items for Noting
12.1 The following papers were circulated to the Committee prior to the
meeting, were NOTED by the Committee:
- Procurement Governance & Compliance
- Belfast Datacenter (Horizon) Disaster Recovery Post Test Briefing
- Payment Practices Reporting
- Law & Trends
- Corporate Insurance Renewal
- Policy Update - Summary Paper
- Committee Forward Plan
Cha Date
Meeting Actions:
Para Action Detail Action
No.
2.2 Action 1 from 27 July 2020 (para 4) and 27 September 2020
(para 6.4), Pensions Assurance:
In the ARC meeting today:
Action 1 from 27 July 2020 (para 4) and 27 September 2020 (para 6.4)
Pensions Assurance:
Angela Williams addressed progress made so far on this matter at the end
of Section 3.2 - Risk Appetite Statements: People as follows: PO was now
in frequent dialogue with trustees, who had sent over their requests and
demands. PO was reviewing these and are likely to reject some of them.
The active dialogue has momentum, but progress to meet the deadline in
March 2022 was slow. The Chair noted that this matter had been elevated
to Board level given the potential financial impact. Angela Williams stated AW
that if the ARC wanted a separate update, the People team would be happy
to give one, but she recommended that this action be closed, and the
People team would flag any future issues.
STRICTLY CONFIDENTIAL 13
16 of 212 Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
Tab 2.1 Minutes (29th June 2021 and 26th July 2021)
@
POST OFFICE LIMITED
UKGI00044334
UKGI00044334
The Action was recommended for closure
2.2
Action 20 from 18 May 2021 (para 3.2) - Operational Risk Appetite
Statements (network availability):
In the ARC Meeting today:
Mark Baldock reported that Tom Cooper had requested that network
availability be separated into long and short-term appetite. This had been
done and work was now being completed to incorporate this change into
the dashboard.
The Action remained open and was rolled over to the September 2021
ARC.
MB
2.2
Action 28 from 18 May 2021 (para 8) - BEIS White Paper
(subsidiary reporting):
In the ARC Meeting today:
Alisdair Cameron agreed with Andrew Paynter’s team at PwC, that the POL
subsidiaries weren't big or important enough to be reported on separately,
it was only a Group review that was required.
The Action was recommended for closure
AC
3.1
Transformation Office Update)
The Risk Update paper focused on the top-down risk assessment approved
in the 18 May 2021 ARC meeting. It was underpinned by the bottom-up
risk assessment. Mark Baldock’s intention in the September 2021 ARC
paper was to show how appetite worked against the risk set.
MB
3.1
Risk, Compliance and Internal Audit: Risk Update (including
Transformation Office Update)
Low value non round (LVNR) transactions: Alisdair Cameron stated that
the PO have been in sustained conversations with the banks about the
Postmasters erroneously putting transactions through as cash withdrawals
to increase remuneration, although transactions are, in the main,
legitimately made. This arises out of the fact that sub-£20 transactions
are not charged for withdrawal. The PO thought that the scale of this may
have been overplayed by the banks. AML and LVNR transactions were a
focus for the banks in Banking Framework 3 discussions. Mark Baldock
MB/MK
3.1
will liaise with Martin Kearsley and circulate a note on this matter.
Transformation Office Update)
Fraud in the bottom-up risk register: Johann Appel raised the issue of
fraud that the bottom-up risk register was starting to highlight and stated
that there needed to be increased visibility around fraud risk, and a person
needed to be nominated to take responsibility for this. Mark Baldock
agreed to address this.
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
MB
14
17 of 212
Tab 2.1 Minutes (29th June 2021 and 26th July 2021)
@
POST OFFICE LIMITED
UKG100044334
UKG100044334
3.2
Risk Appetite Statement: People
_ workers
The scarcity of digital and tech skills in the jobs marketplace, and the need
to make the PO a more attractive prospect for digital workers was
discussed by the ARC. Angela Williams stated that the priority should be
to have the right tech talent in place for the SPM programme and the mails
digital strategy. Helen Rhodes commented that the PO would have to be
flexible with its reward strategy to ensure a good outcome in recruiting
tech talent. Ken McCall requested enhanced transparency from the People
team on this process. Angela Williams noted that the Digital Talent
Strategy is part of the overall People Strategy, and Angela would pick this
point up with Ken McCall separately as part of her regular updates to him.
AW/
HRh
3.2
Risk Appetite Statement: P. le — mental health and wellbein
Zarin Patel raised the subject of mental health and wellbeing within the
workplace and said that she would like to see this picked up in the risk
register. Angela Williams confirmed that a survey was being carried out
on this, and that the People team were working closely with Health and
Safety on the return of PO employees to the workplace, and would reflect
this in their next update. Updates could be given as part of the FOTW
strategy, which is being managed at GE level. Updates could also be given
to ARC, but the People team needed to discuss with Al Cameron whether
this should sit with Angela or with Health and Safety, which is currently
overseen by Al Cameron/HSE. The People team were working closely in
order to mitigate current risks.
AW/
HRh
3.3
3.4
C U = I ni
Ken McCall requested that Nick Read pick up regulatory training at senior
levels of the business to improve transformational change in this area from
the top down. It was advised that Angela Williams be asked to diarise
time for senior management to complete their compliance training.
Internal Audit Update - assurance
Ken McCall asked why it had been decided not to rate the audits, such as
in the SPM programme. Johann Appel stated that the report in the pack
was from very early in the life cycle of the programme. David Darracott
continued that the problem with rating these assessments was that people
then tended to focus on critical areas rather than an overview. The Chair
added that rated reports were usually measuring compliance with policies
and frameworks but assurance reports provided an opinion. The Chair
requested that Johann Appel clarify what further assurance was planned
for the SPM project.
NR/
AW
JA
3.4
Internal Audit Update - ATM strategy
The ARC moved on to the Internal Audit report on strategy. It was noted
that the programme team had focussed on resourcing and getting a
mitigation plan in place. Tom Cooper expressed concern that it was taking
this long, as the Banking team had been talking about taking over the ATM
NR
18 of 212
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
15
Tab 2.1 Minutes (29th June 2021 and 26th July 2021)
UKG100044334
UKG100044334
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
strategy from BOI for two years. Nick Read confirmed he would
investigate further and report back to the Committee.
3.4 Internal Audit Update - HIJ Improvement Plan
The Chair asked Nick Read about the HIJ improvement plan in terms of
managing the challenges around Fujitsu, such as alternative solutions like
bringing this work in-house, and recruitment at branch level. Nick Read
confirmed he would investigate further and report back to the Committee. NR
6.1 Modern Slavery Statement — case study
Zarin Patel requested a case study similar to what was included in the
observations for next year’s Modern Slavery Statement. James confirmed 3s
he would effect this.
9.1 IT Controls Deep Dive
At the Chair's request, Jeff Smyth confirmed he would assess the cookie
settings on the PO website. The Chair stated that equal weightings were 3s
needed for the ‘yes’ and ‘no’ options for accepting cookies.
10.1 Supply Chain Controls — mobile fleet placement
The Committee agreed that the mobile fleet should sit under the supply
chain network. Russell Hancock stated that he would be happy to give RH
a further update in three to four months on this subject.
STRICTLY CONFIDENTIAL 16
19 of 212
zizs00z
Lz160/82-eemtuMog eouerduod = ¥SIY ‘PNY - PANN eWO 04
UKGI00044334
UKG100044334
a
vin
auohranie
aati
lave Appetite Statement: atm pee ttt or
[gu Pompeee cere aa tere wh be sree
foe Sorentesntrenr eto sere most
bzssvnas.
(ee meh ten 63)
fren ny a
frum emer cia
he Commits ot lve the acon march 202
et pt nr led REM 34m wh
[rant praia von sms Lane Dc n 0, Mano
el nd Comsnnce i Age Steet pe sn rata a2 sre Oy
fs ra con a oe sitet rn pr ete ere he
Inecmmanana rua a apts =e
neal & Conolone i ope tere tebe peet the Cant aa May 224 eal apr
et al lo ct pee pao Can ay 202, Fas pe
pct apc edo RECINE 3/023 mesg, Flown) Pty 91720
ects ps
ics atl ane rn re us lca 9 pert AS en a i cnt oa cre
[tyre ponts guts anssnty ere ganon ny engaraaaht whch cn nen sor nsen S909. wae
[recommended friar bt
oe ores ae
fis resus sax supporting cy fi ngcatar (kl) unig tata tc ans nee tawecesThe pun Sa
ee Yor nae:
187] voRoy Z'2 424
fi con
ey Sang usps eh see aro eg as
[Seaton ocr) wan anes) One of ese pecan
wry oranda nao cag agonal chepal heat aa tnadacs
Nn
te
12/60/82-SaHWUOD eoUEI!GWOD * SRY “UPNY - PAW SOW IS0d
zizso1z
UKGI00044334
UKG100044334
lode waters une (november tesuries haasizen: emetogenic ile of sty
aT gg iy TT, mentite Hess Sa Se sea oes poeta on oan sxc Seas Bans Soy
wont irc mater Unit aman: Fann Cine cra of IY a5 sth 2 ai mag. ‘arco
ices te arse ok se es or esa 0 Pe ew es el
ron, 201 A [nan he cnr rr cts oe on toe nr vd yi nr on yk ee
«I woven) 4 ct] senonont LOSS dessa etnaan satan soc 90 senses ws haber AR
SS aa: coo ren on bbe ts is, Pee neon paper
2: to tm sy A at, Remmede oe
lal borne ich bow tegen tin com wh One
soyzns nc nen cetaceans mons be
aera terer ee tee ae “itr [samme heey sega iy RC pw ect wanes rac
“ans eae are a tae came ts mcraara,,I Cowl be cere nano nt event) Song meta hv corsa wna aety mp Oe gener
+ sonuinI san item une re Sr I tm met Seem oer, ese re ewe
[ea rv sur tven wold repo sprained & EE
oan: “Mectng) ete vgn truth Seve fw Hens ee NEN
a ot npr Sy ln Pea wan pt a mG
Sree tenet pg rsa ran ter mass et i A a
[ora oc awe sn at tycoon emi: tr otc roe hy Comes we
sor Ramage melloegnbnstedligroeerg apm od ed [This was decussate Bowron C3 Whe 2071, Recommended for closure,
I exzaniI 23 [eommege ew ain reer sca fasta eta] hvala URL:
fester se en tetera nee are pass
Aah Tent faites ener me 20 veg
7 I svoraearI a Ihitebemnn oticy meen: as aoend thats mater I yy span I SOME 2021 ARC I sanai cae tne hs onthe ARC Forward Ra or Sapeber 2021
locates mena tnlnsamompgs Seen or ee ec Se ee
+ [omens] cs gare enactment I cn AREA smart sco aero emerem
Sao Sie tops area sat sn amor a a an, a
Feng er cel tsa cna cad Fra ehar satan en satan tr as ep
contac eto Soma ee evant 03M ac osname ce nm, re ema pny Ga tend
io I suena I sae steerer Sey cong ‘caren I ty 281 ARC mening sualac: Cec eine Gn AR Power My 30. Recommend Tr ensure.
Nn
te
187] voRoy Z'2 424
zizsozz
12/60/82-SaHWUOD eoUEI!GWOD * SRY “UPNY - PAW SOW IS0d
UKGI00044334
UKG100044334
seo 22 a
leeptehtowtnr canto ciatyar ace Tank eng I RR ur ca chan wl Pun NO pO a
et . Geekeh capo ope oye ep meget nel beg athe iting, SEAS im erie Sie Si not et rn oii be ea A a
Ae [Stetina es atparorcay amuse Tete RELIES ete Ce pera ee er ar
oie er Sn ei Ran in a sd pl wich pra se gb
ve IawowesI as faseeonbaomreeertemreeerti I epee I Ugg pat Paice renner eaters en ces ens et en pot
eatarfetientr torte segue [ecommencs ceases = nen bas duet sage
1 [wencantI a2 amet Gavenentwtrnet sper aTemrmer I ninreans I Ute A739 Iixn etnies ees Pura, Steen Twat ie commanded mr.
a weal ‘agg aa 2 ome apa re ne hyo mp we
9 mene mati edyereoresatas]
1 fines I a 7 ‘omg oy 2 mcimas roi mane arn ea ange a ata
I wiaaensI ae Pee paras cc I Vb ny nn [ita 12hnomr esiPnet i mea is ii ire i
ing cekoe Sp cps ys gles EE ES arantena forall
[cater ware mpentas tomoz orn nl
eraser acas ae ercere sy ee ae sos [inc oman rad rn aa on rn rs ne ane se
1 jaan) aan oma Come coumarin” fee anata! sh a annus) wit ove oe mam arn ne ty
Seer tpoeerericen [rnaner
[Bateneetctcetect ton mocrecarnattcen recs andere I MO%E%H7 I september 2021 ARC rane Se
fot rein Cvs ous ee sr oe
Nn
te
187] voRoy Z'2 424
Lz160/82-eemtuMog eouerduod = ¥SIY ‘PNY - PANN eWO 04
zizsoez
UKGI00044334
UKG100044334
re
Be pecentacecs "Eteach em he aed i en AR
ees) Peas Soa
a I wasamsI 6s re erno I CSRS I jy 3 amc 5 rr roe he Fra Pan dy 2. rr
[ucroctnvseteanprcresasbicickeny antes wai I tech So)
fpucefomsrsat
fs ae ei Sy Seats ae alt ey
fegprnaeéy bance land i cg ren) an I pn gay 2 [AAR AT itu ot tt Tot am reared oa een be wn ar id
w/w: I we ere ni teers actus I Smee A280 BONeLan rete nas mi ae eee bere it espe inant av oetoatanioreenpeeeee fo
[Semner owco t's is ose cs tals ‘ot [ 2 Recomended order
rs ane estate
Fi fuacazzanaa. JA - Tmo Wee tmrcshots mes writen sto tne Updates IA Char for approval by the ARC 0 Ruy. Recommended for
36 I at] 6 ‘mney cree: een ones aut tei im in en
[See crise prasad ote commence tonisn selayaea ne
speed 8 tens I rms aanen PARE tpt te i bam er eee ee Sarees
‘penel ARE Meeting lene ARC in July. Recommended for cosure.
si nmi omiae I ge ay 2 tr: carer smn en ace ore nO ets mgr he
— "ARE Meeting reported on seperately, was only & Group raven Untt was required. Recommended fort
ee oe
as I wosanat . fete romano tes ses ae eee arg, 02248 Jo oconi: apr ars igen tof Match 2022 Ws uate and hs a een aed oe aa an
pete we Form Forward pion)
See I RISE
muons] 9 tenant a ec aca a ioey I M3020 Aen a an ides ih 0 De fp mr ie i NC Hei Recodo cre
josie me
Nn
te
187] voRoy Z'2 424
zizs0 ve
12/60/82-SaHWUOD eoUEI!GWOD * SRY “UPNY - PAW SOW IS0d
UKGI00044334
UKG100044334
Ieaage n
ax IamosavarI se an om an sion ns
a2 I 2woraeI a
x2 I rsraonI a
ss IasoraonI a2
ss I auoraonI 32 Seamer 2021 AE
w» I r67n01I 33 Sepang 20212
xe I r6oreI 34 res
a
187] voRoy Z'2 424
UKG100044334
UKG100044334
sr] wonDy ZZ GEL.
Lz160/82-eemtuMog eouerduod = ¥SIY ‘PNY - PANN eWO 04
zizsosz
a
Tab 2.3 Draft Risk and Compliance Committee Minutes (14 September 2021)
@
UKG100044334
UKGI00044334
POST OFFICE LIMITED
MINUTES OF A MEETING OF THE RISK AND COMPLIANCE COMMITTEE OF POST OFFICE
LIMITED HELD ON 14 SEPTEMBER 2021 AT 10:00 - 13:00 AT 1.19 WAKEFIELD,
FINSBURY DIALS, 20 FINSBURY STREET, LONDON, EC2Y 9AQ / VIA MICROSOFT
TEAMS
Present:
Attendees:
Alisdair Cameron (Chair)
Mark Baldock (Head of Risk): Item 3.1
Helen Rhodes (People Shared Services Director)
(deputising for Angela Williams (Interim Group Chief People
Officer))
Ben Foat (Group General Counsel)
Amanda Jones (Group Retail & Franchise Network Director)
Jeff Smyth (Group Chief Information Officer)
Jonathan Hill (Compliance Director): Items 3.2 & Item 12
Johann Appel (Head of Internal Audit): Items 3.3 & Item 6
Mark Siviter (Product Portfolio Director): Item 4
Andy Kingham (Franchise Partnering Director): Item 4
Nick Beal (Network Performance Optimisation Director): Item 5
Zdravko Mladenov (Business Transformation Director): Item
5
Tom Lee (Financial Controller): Items 6
Jonny Lonsdale (Business Continuity Manager): Item 7
Sarah Gray (Group Legal Director): Item 8
Vitor Camara (Senior Financial Crime Manager): Item 9
Barbara Brannon (Procurement Director): Item 10
Tan Holloway (Director, Risk & Compliance, Post Office
Insurance): Item 11 __
Mark Harris (Compliance Manager, Post Office Insurance):
Item 11
Matt Taylor (Data Governance Lead): Items 5 & 12.7
Ehtsham Ali (Head of Cyber Security Compliance): Item 12.7
Sarah Kelleher (Senior Assistant Company Secretary)
Apologies: a
Angela Williams (Interim Group Chief People Officer)
Cathy Mayor (Finance Director, Commercial)
26 of 212
1. Welcome and Conflicts of Interest Action
The Chair opened the meeting and advised that all papers would be taken as read.
No conflicts of interest were declared.
2. Minutes and Action Lists
2.1 The minutes of the Committee meeting held on 13 July 2021 were APPROVED.
2.2 Progress on completion of actions as shown on the action log was NOTED as
follows:
The Chair recommended that all actions pertaining to the preparation of papers for
the RCC meeting on 13 July 2021 and the ARC meeting on 26 July 2021 be closed.
This included the following actions:
- Action 4 from 12 January 2021 para 3.3. Compliance Update
- Action 7 from 16 March 2021 para 3.1. Risk Update
- Action 8 from 16 March 2021 para 3.1. Risk Update
- Action 13 from 13/07/2021 para 2. Minutes and Action Lists
- Action 14 from 13/07/2021 para 3. Anti-Bribery and Corruption
Strictly Confidential Page 1 of 14
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
Tab 2.3 Draft Risk and Compliance Committee Minutes (14 September 2021)
- Action 15 from 13/07/2021 para 3. Anti-Bribery and Corruption
- Action 17 from 13/07/2021 para 3. Anti-Bribery and Corruption
- Action 18 from 13/07/2021 para 4. Modern Slavery Statement
- Action 19 from 13/072021 para 4. Post Office Insurance Deep Dive
- Action 20 from 13/07/2021 para 5. Post Office Insurance Deep Dive
- Action 21 from 13/07/2021 para 6. IT Controls Deep Dive
- Action 22 from 13/07/2021 para 7. Belfast Datacentre
- Action 23 from 13/07/2021 para. 8. Supply Chain Controls
- Action 24 from 13/07/2021 para 9. Transformation Office Update
- Action 25 from 13/07/2021 para 11. Procurement, Compliance and
Governance.
- Action 27 from 13/07/2021 para. 14.1 Risk, Compliance and Audit Update —
Risk Report and Dashboard.
- Action 28 from 13/07/2021 para. 14.1 Risk, Compliance and Audit Update —
Risk Report and Dashboard.
- Action 29 from 13/07/2021 para. 14.2 Risk, Compliance and Audit Update -
Risk Appetite Statement: People.
- Action 30 from 13/07/2021 para 14.4 Risk, Compliance and Audit Update —
Risk Appetite Statement: People
- Action 31 from 13/072021 para. 14.4 Risk, Compliance and Audit Update -
Internal Update
Action 1 from 14 January 2020 para 10.6 Money Laundering Reporting Officer
Annual Report:
The initial action was for BF, SS and JH to talk to Retail regarding enforcing three
lines of defence and suggested BF attend a meeting with HMRC. As at 14 July 2021,
HMRC were still not conducting any meetings, and had not indicated when meetings
would resume. The action was closed.
Action 2 from 12 November 2020 para 16 Data Governance:
The Legal, Data Protection, IT and Ruk Shah (MI & Analytics Director) were asked
to work on a coherent recommendation on how the data retention policy should
evolve and how it will be implemented to return to RCC and ARC in January 2021.
It was noted in today’s RCC meeting that this action had not been updated since
April 2021. Ben Foat would consult with BTU on this matter. The action remained BF
open.
Action 3 from 12 January 2021 para 3.3 Compliance Update:
The Chair highlighted the request to approve the recommendation to establish a
Post Office-wide Data Governance framework and SteerCo. The action remained
open.
Action 5 from 12 January 2021 para 7. Annual Money Laundering Report:
It was requested that Sally Smith write to the banks and make it clear that MSBs
cannot be used through the Post Office network. Regular bilateral meetings
continue between POL FC team and Barclays. The action was closed.
Action 6 from 12/01/2021 & 16/03/2021 para 13. Historical Matters Unit:
Fraudulent Claims Controls & Delegation of Authority & 2.2 Actions Update:
This action had been duplicated lower down the spreadsheet. The action was closed.
Action 9 from 16/03/2021 para 9. Business Continuity:
The Chair highlighted that an end-to-end test of Horizon and cloud migration had
not been completed. Jonny Lonsdale was asked to discuss this with Howard Booth
and provide an update to the Committee. The Chair recommended this action for
Strictly Confidential Page 2 of 14
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 27 of 212
Tab 2.3 Draft Risk and Compliance Committee Minutes (14 September 2021)
UKG100044334
UKG100044334
28 of 212
closure, but requested that it be covered in the Business Continuity Update paper
in the November 2021 RCC/ARC. Action recommended for closure.
Action 10 from 16/03/2021 para 11. Improvement Plan:
The first phase of improvement was to offer a Horizon menu-based alternative to
the manual scanning of the dangerous goods laminate. The action remained open.
Action 11 from 04/05/2021 para. 3.4 Compliance Update:
With reference to paragraph 46, the Chair questioned the reference to a ‘minor fine’
from the Bank of England, nothing that this was not his understanding. The fee
was actually ‘loss seigniorage’ rather than a fine. Action closed.
Action 12 from 04/05/2021 para 10. Procurement, Compliance & Governance:
Barbara Brannon was asked to update the appendix to the paper (all open material
incidents) with a column showing who approved the exception prior to the paper
being submitted to the 28 September 2021 ARC. Action closed.
Action 16 from 13/07/2021 para 3. Anti-Bribery and Corruption
Juliet Lang/ the People team to ensure that Post Office contractors were engaged
with compliance training, and for progress on this matter to be reported at the
September 2021 RCC. Helen Rhodes confirmed the following in an email of
26/07/2021:
In terms of the action on compliance training, I have spoken to Juliet Lang, Talent
& Diversity Director and confirm the following:
- My comment on robotics was that we are exploring robotics to see if it is
helps with the manual process of ensuring that compliance training had been
completed.
- Contractor completion rates have improved but timing of modules being
released and the sometimes short nature of a contractors’ term with POL can
skew the numbers.
- Whilst the GE receive lists of employees that have not completed the training
pre and post deadline of each of the compliance module, the escalation
process is being further reviewed by Juliet and her team to work with
compliance who own the completion rates of the modules to ensure we are
meeting our regulatory requirements. A fuller response will be submitted by
Juliet in line with the submission deadline for the next RCC on 14th
September 2021. Action closed.
Action 26 from 13/07/2021 para 13. Update on Service and Support Controls
Amanda Jones to speak to Tim Perkins and provide further data on how quickly
cases that went through stages T1, T2 and T3 were resolved. At the RCC meeting
on 14 September Amanda Jones confirmed that this action had been pushed back
to the November 2021 RCC/ARC cycle because of the new controls framework being
introduced between now and then. The case for that will be presented by Tim
Perkin's team in the next round of IC, and it's coming back to PRB. Action remains
open.
Action 32 from 13/07/2021 para 14.4. Risk, Compliance and Audit Update - Internal
Audit
The following actions were noted: (1) there are five overview actions, all relating to
HMU. Johann Appel suggested providing an extension for these action points until
Internal Audit could see the new organisational structures. This was agreed upon,
with the aim of the action points being reportable and cleared by the September
ARC. (2) Johann Appel agreed to follow up with the current HMU team to drive the
completion of these actions, and revisit if they hadn't been completed by the end of
Strictly Confidential Page 3 of 14
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
IL
Tab 2.3 Draft Risk and Compliance Committee Minutes (14 September 2021)
UKGI00044334
UKGI00044334
the summer. On 13/07/2021 the RCC agreed to provide further extension until end
September for the new HM org structure to embed and the outstanding governance
arrangements to be finalised. Action remains open.
Action 33 from 13/07/2021 para 15. Policies for Approval
Ben Foat to review the document and disposal policy. This would be covered later
in today’s meeting. Action remains open.
3.1
Risk, Compliance and Audit Update
Risk Report & Dashboard
Mark Baldock introduced the paper, which had been circulated previously and was
taken as read. Mark highlighted the following points:
- Para 6: POI non-compliance with Pricing Super Complaint notice - because
the market changes when the new FCA price walking regime rules go live,
there is a risk that POI might not be ready, and therefore would not be able
to deliver on its five-year plan. POI had a plan in place that was now well
established. A key risk to consider was the uncertainty of how the markets
would behave when the new regulations were implemented.
- Para 7, Low Value Non Round (LVNR) Transactions processed as Cash
Withdrawals - the risk was that Postmasters could be processing POS
transactions as cash withdrawals, against the explicit contractual terms
agreed with the banks. This risk was reducing, as it was an industry-wide
issue, for which an industry-wide solution was being explored, therefore the
risk of specific action against the Post Office was receding.
- Para 8, Post Office being challenged as ‘Agent’ for cash banking by FCA, was
still a key risk with regards to the PO’s status as ‘agent’. Mark Baldock would
reference this in the risk paper going to the ARC meeting on 28 September
2021.
- Para 9, DVLA contract financial rations - the PO was currently in breach of a
provision within their contract with DVLA requiring the PO to report on the
applicable financial ratio levels after each financial year. The risk was
relatively low, but Mark Baldock wanted to investigate how to mitigate the
risk, as it could have long-term consequences.
The Committee raised the following points on the report:
- The Chair thought the report was more negative in places than the risks
warranted, and requested that the report be edited ahead of the ARC
meeting on 28 September 2021.
- The Chair requested that the following be highlighted in the report going to
the September ARC: (1) regarding the risk at para 7, LVNR Transactions
processed as Cash withdrawals, there was no loss for the banks; (2)
regarding the risk at para 9, DVLA contract financial rations, the PO had not
reported on the applicable financial ratio levels since the start of the contract,
so the rationale that the DVLA could terminate the contract on this basis was
not sound.
- Mark Baldock stated that regarding the Postmaster & Network risks, paras
14-17, he had focused on items where the risks were low and outside the
ARC appetite. The plans that were in place to mitigate these risks should
start to drive their risk ratings down.
- Amanda Jones commented that regarding para 16, ‘Postmasters lose faith in
our ability to change’, the PO would get a good indication of where matters
stood following the October 2021 Pulse survey. The PO would use the
consultation from earlier this year as a base line.
- Regarding para 18, ‘Fail to support new agents’, Amanda Jones stated that
this risk related to a number of Deloitte report findings as to how the PO
MB
MB
MB
Strictly Confidential Page 4 of 14
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
29 of 212
Tab 2.3 Draft Risk and Compliance Committee Minutes (14 September 2021)
UKG100044334
UKG100044334
should change its approach to onboarding and supporting postmasters. One
of the metrics the PO confirmed they would use is how long it took to onboard
a postmaster. Currently, onboarding takes just under five months and the
metrics were improving. Because of the way the metrics were scored, they
currently sat just outside the risk appetite.
Mark Baldock did not intend to focus on Financial risks this meeting, which
was acknowledged by the Chair. Regarding legal risks from para 23, Mark
had focused on risks relating to Starling, Competition Law and Anti-Money
Laundering non-compliance, which were tracking very slightly outside the
risk appetite.
From a central risk perspective, Mark Baldock needed an update on who was
managing some of the risks, as a few PO risk-owners had moved on. Ben
Foat requested Mark to put his name against the HMU and Inquiry risks. In
due course, the HMU and Inquiry directors would be the risk-owners for
these risks, and Ben would also have oversight of these risks for approval to
the RCC. Ben and Mark agreed to review the risks holistically, and look at
the whole programme to make sure the records were up to date.
Regarding disaster recovery under the Technology risks from para 23, the
PO was on schedule for a DR test on 13 September 2021 with Fujitsu. For
the purposes of ARC, Jeff Smyth stated that the subjects of Belfast and
serviceable life equipment should be highlighted, and requested that Mark
Baldock consult with Gary Walker on these matters, and remediation thereof.
The Chair stated that the best way to handle these risks was to exit Belfast,
and that this should be a priority. The PO needed to move on from Fujitsu
and Horizon. Jeff Smyth confirmed that a discussion was being held on this
subject at the GE on 15 September 2021. IC would need to ratify GE’s
decision.
The Committee NOTED risk update for onward submission to the Audit, Risk &
Compliance Committee (ARC).
BF/MB
MB
3.2
Compliance Update
Jonathan Hill introduced the paper which had been circulated previously and was
taken as read. The following points were highlighted:
Regarding the Controls Framework, paras 1-4, Jonathan Hill confirmed he
was working directly with the Service & Support Team, and that progress
had been made in this area. A positive discussion had been held at GE last
week, where this matter had been prioritised due to its effect on
Postmasters.
Regarding para 5 an initial breach notification had been reported to the
Information Commissioner's Office (ICO) relating to a lost ex-employee’s HR
file, which had been requested by the CCRC (now the HRC). The ICO had
not yet responded, but when they did, Jonathan Hill would update the
Committee.
Further to paras 5 - 15, Data Protection and Information Rights, Jonathan
Hill referred the Committee to the paper on the Postmaster Management
Information Update and the Data Governance Framework Update at agenda
item 5, and stated that he had held constructive conversations with Zdravko
Mladenov, Ben Foat and Sarah Gray on this matter.
Regarding the FS Key Regulatory Update - Banking Framework and FCA
from para 38, Jonathan Hill stated that there were two parts to the banking
challenges: (1) the FCA and their interest in post office status - Jonathan
confirmed that the PO had been very clear with them on what their status
was, backed by senior legal advice. The FCA had confirmed that they would
put their position in writing by September 2021, giving their view on what
kind of entity they considered the PO to be, and why the FCA didn’t agree
JH
30 of 212
Strictly Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
Page 5 of 14
UKG100044334
UKG100044334
Tab 2.3 Draft Risk and Compliance Committee Minutes (14 September 2021)
with the PO on other cash deposits and their view on what PO's
responsibilities and accountabilities were. Jonathan had not yet heard back
from them.
- The Chair asked how senior were the people that the PO were dealing with
at the FCA; Jonathan Hill replied that he had been in touch with the heads
of units and the FCA employees who drove and supervised FCA policy. The
Chair considered whether this matter should now be flagged to BEIS, the
Treasury and the Bank of England. Jonathan confirmed that he would pick JH
this up with Martin Kearsley.
- Regarding HMT Access to Cash from para 48, Jonathan Hill confirmed that a
consultation was underway regarding access to cash, Jonathan had gone
through the matter with Legal and Compliance, and the consultation was
being put together with the assistance of the Banking team. Subject to the
Committee agreeing, the consultation was ready to be taken to the Treasury.
The Committee raised the following points on the report:
- Helen Rhodes pointed out that the data protection breach detailed at para 5
had taken place over a ten-year period, and was therefore not material, and JH
that this context should be made clear to ARC.
- Following on from a query from Carla Stent at the 26 July 2021 ARC meeting
as to whether the Post Office was compliant with cookie management policy,
Jeff Smyth raised this query at the meeting and said he would pick this up
with the digital and customer service teams. The Chair recalled that ARC
had confirmed to Carla that the PO was compliant with the rules as they
were, but there were some anxieties that the PO was falling behind on this.
The Chair was happy to be in a position of being compliant with cookie policy,
but did not think the PO needed to be an industry leader in this area. Jeff
Smyth confirmed this was where the PO sat, and that he would provide a Js
brief update for the 28 September 2021 ARC meeting.
- Jeff Smyth raised a concern regarding the volume of Freedom of Information
(FOI) requests from para 13, particularly those relating to historic
information, and the way these were being handled by the PO. A
conversation had been held between the Chair, Ben Foat and Nick Beal on
this matter, and it had been agreed that FOI requests needed light
executive-level steering oversight. Ben continued that there was political
angle to some of the requests. If the IT team could be involved in the FOI
process they would be happy for Jeff’s team to join Steerco. In terms of
Steerco visibility, Ben confirmed that Jonathan Hill and Chris Russell were
producing a paper on this. Jonathan added that as part of CEO questions,
his team was producing a series of high-level guides on FOI requests, how
they worked, and what needed to be considered. Steerco would look at any
challenging cases and the process was well flagged.
- Regarding para 24, detailing the report submitted to key senior stakeholders
outlining the risks to the PO associated with the Other Stamps Ordinary
function on Horizon, the Committee asked how this was being escalated.
Jonathan Hill reported that this question was being continually raised with
Commercial. Mark Baldock confirmed that he would take an action on this MB
matter to speak to Commercial, and get the matter progressing. Amanda
Jones asked if this matter should be linked to the work that Simon was
undertaking on Horizon; Jeff Smyth agreed that this should be picked up as
a systems improvement matter rather than an HIJ matter, but that there
was an HIJ element to it, and it still needed a commercial owner. The Chair
wanted commercial oversight on this matter before it went up to ARC.
- Jonathan Hill reported that a proposal from POI would be discussed later in
the meeting. An assessment had been completed by Legal and Compliance
Strictly Confidential Page 6 of 14
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 31 of 212
Tab 2.3 Draft Risk and Compliance Committee Minutes (14 September 2021)
UKG100044334
UKGI00044334
on this proposal, and on the combining and merging of a subsidiary created
from a governance and compliance perspective. Ed Dutton and Jonathan
Hill had spoken on this topic, but had yet to sit down and discuss the paper,
which they would do in the next few weeks to address the relevant
challenges.
The Committee NOTED the Compliance update for onward submission to the ARC.
JH/ED
3.3
Internal Audit Update
Johann Appel introduced the paper which had been circulated previously and was
taken as read. The following points were raised:
- Johann Appel reported that the IA cycle was at its mid-year point. Half of
the 30 audits had been completed, and five audits had been completed in
the current reporting cycle.
- At para 7 the BoE Note Circulation Scheme was ready to be finalised.
- At para 9, the ATM Link Scheme Attestation was waiting for sign-off from
Owen Woodley.
The Committee raised the following points on the report:
- Jeff Smyth queried whether there was a risk of duplicating efforts with the
SPM programme. Johann Appel reported that the audit on this was in the
planning stage. The Chair recommended that work not be started on this
until it had been discussed at the GE on 15 September 2021.
- The Chair stated that HIJ might have to be delayed in order to effect the
completion of the Belfast exit and the SPM programme, and if so, the PO
would have to consider their competing priorities in light of the inquiry. The
GE on 15 September 2021 would hopefully offer clarity on whether to divert
resources to these interim audits.
- Johann Appel raised the proposed changes to the audit plan. Risks that were
currently covered would still be covered under the changes, and the PO
would be tracking at approximately 30 audits per year.
- Johann Appel queried as to whether PUDO/Drop & Collect should be separate
programmes, and which one the Committee thought should receive
preference. Amanda Jones stated that this needed the combined view of the
Commercial team and Martin Edwards, and that PUDO should be prioritised.
- Regarding the Cyber Maturity Assessment 2020 at para 15, the Committee
recommended that the overdue JML action not be closed without full and
transparent disclosure to the ARC. Johann Appel would work with Jeff Smyth
and Tony Jowett to update the ARC on the level of residual risk that remains
and measures that will be taken to mitigate the risk.
- Regarding the actions from the Historical Matters Governance review
detailed at para 16, the completion date was September 2021; this couldn’t
be closed until the new directors were in place.
The Committee otherwise NOTED the Internal Audit update, specifically, the
progress being made with delivery of the Internal Audit programme and completion
of audit actions for onward submission to the ARC.
JA
Mails Deep Dive and Dangerous Goods Compliance Update
Mark Siviter and Andy Kingham introduced the paper, which had been circulated
previously and was taken as read.
The Committee raised the following points on the report:
- Amanda Jones reported that regarding para 6, Phase One Horizon menu-
based alternative to Dangerous Goods laminate, the first phase of the
32 of 212
Strictly Confidential Page 7 of 14
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
Tab 2.3 Draft Risk and Compliance Committee Minutes (14 September 2021)
Horizon went live on 3 June 2021, but the anticipated uplift in overall
mystery shopping performance had not yet materialised.
- Mark Siviter continued that at the time of the last update, the PO had been
working on Phase 1 for Dangerous Goods, to add a screen menu to allow
branches another option - it was thought that this would bridge the gap in
branch conformance. The first mystery shopping period had taken place in
August, but the expected benefit hadn’t been seen yet.
- The business case for Phase 2, Automation of Restricted Label Printing, had
been confirmed for a rollout in November, but this was dependent on the
CAA giving approval, and there had been challenges to governance at their
end. Phase 2 would require the clerk to print the label for a dangerous goods
item rather than the clerk manually applying a pre-printed label, which would
tie this action into the process.
- Phase 3 was to move the dangerous goods transaction start point to be early
in the post mail items journey, and requiring the customers to confirm the
contents of the parcel they were sending using pin-pad devices for mails
items, meaning that clarification would be sought from the customer as part
of the transaction as oppose to being elective by the clerk. This was the big
change that the PO was working towards.
- Jeff Smyth queried where Phase 3 fell within the range of priorities for the
PO - would it transcend Fujitsu and Ingenico? Mark Siviter stated that it
was recognised that Phase 3 had a big technical impact, and would start to
come up against a lack of resources. As soon as Phase 2 had been approved,
that would mean that the project could move forward. The background
impact of this rollout was being examined; it was likely that the postmasters
wouldn’t be happy with longer transactions, and the PO would look at how
this would sit with their priorities.
- The Chair recommended that the Mails Deep Dive and Dangerous Goods
Compliance Paper in the Committee pack be presented as an action update MS/AK
to the ARC. The key question for consideration was that if Phases 1 and 2
didn’t work and the PO couldn't afford to roll out Phase 2, what would the
next course of action be. The Mails Deep Dive and Dangerous Goods
Compliance Update would then be submitted to the November 2021 RCC and
ARC meetings, after the October and November results had come in.
- Mark Siviter reported on insights from other providers, who were mainly
moving this function online. Deutsch Post were conducting screening at the
pre-transport level, so that dangerous goods didn’t make it onto planes.
- Andy Kingham stated that the branches who had been using the Horizon
menu-based alternative to the laminate were positive about the new
process. The mystery shopping results indicated a significant increase in
branches conducting conversations and taking questions about dangerous
goods, up from 42% in April 2021 to 60% at this point. An issue that had
been flagged was that customers didn’t see the clerk apply the label, but
when this was integrated into the process it was predicted there would be a
change with mystery shop conformance.
- The key consideration was that the dangerous goods process was still driven
by behaviour. The scales in post offices weighed, but could not x-ray goods,
so clerks were still reliant on customer confirmation. The PO had been
working on extracted items - two years ago the number of extracted items
that had gone to Belfast containing prohibited goods was significant, but the
PO had brought that figure down and achieved a target of 1.1.
The Committee NOTED this update for onward submission to the Audit, Risk &
Compliance Committee (ARC)
Strictly Confidential Page 8 of 14
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 33 of 212
Tab 2.3 Draft Risk and Compliance Committee Minutes (14 September 2021)
UKG100044334
UKG100044334
Postmaster Management Information Update & Data Governance
Framework Update
Nick Beal and Zdravko Mladenov introduced the paper on Postmaster Management
Information Update, which had been circulated and was taken as read. The
following points were raised:
- Nick Beal reported that regarding the provision of MI to Postmasters, the
number of features had increased significantly since May. Postmasters could
now see sales by staff and the PO was now providing MDA1 remuneration
reports.
- Last week, a webchat function had been launched. This had not been fully
detailed in the paper to the Committee, as it had taken place so recently.
This function gave Postmasters the chance to raise issues through a chat
function. A main topic raised in the webchat was issues with printers.
- Further to para 12, key activity through to December was as follows: (1)
SQL migration from existing standalone server to fully IT supported
infrastructure, aiming for December 2021/January 2022, which would
improve the efficiency of data management in Branch Performance and (2)
Access Control - Role Based Access Control (RBAC), which would enable
postmasters to made the various features on Branch Hub available to their
staff. Nick Beal was optimistic that there might be a pilot for RBAC before
Christmas, but this was a moving deadline.
- The PO was close to having more detailed information on remuneration data
in place, which would take feeds from the Remuneration system in CMS and
present it to Postmasters on a daily and weekly basis.
The Committee raised the following points on the report:
- The Chair acknowledged the progress made in this area. Amanda Jones
asked whether the Comms team had been asked to flag the progress made
and Nick Beal confirmed that when the pilot went live, all the positive
feedback would be flagged. An area manager had recently been recruited
into the scheme to assist engagement with Postmasters.
Matt Taylor introduced the paper on the Data Governance Framework, which had
been circulated and was taken as read. The following points were raised:
- Matt Taylor informed the Committee that he had worked on similar initiatives
in previous roles. Key steps included effective training of programme
stewards, setting up a framework, getting employees to understand that
they were accountable for the data they used on a daily basis and creating
examples of how improving the quality of data could improve how a business
was run.
- Matt Taylor confirmed that approval had been given for funding for a data
ownership framework across POL and the appointment of Data Owners to
high-level business segments. The aim was to have built the data ownership
framework and owners in place by the end of December.
- The Chair raised the issue of digital versus physical data, in the context of
moving more data to digital. Jeff Smyth asked about the involvement of the
Postal Museum, Matt Taylor stated that regarding the physical records site,
it needed to be shown where physical records were, and these records
needed to be indexed. Before the scanning process could be started, a huge
undertaking was required to make sure these physical records could be
added to the business. There was a legal hold at the PO, but the PO needed
to be sure that it could scan documents that needed to be shredded. The
Chair stated that the Committee needed to come back to the ARC on physical
NB/ZM
34 of 212
Strictly Confidential Page 9 of 14
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
Tab 2.3 Draft Risk and Compliance Committee Minutes (14 September 2021)
UKGI00044334
UKGI00044334
data with a strategy for how it should be dealt with in light of the ongoing
inquiry, and the postal museum.
- Jeff Smyth added that, although Matt Taylor would be accountable for the
people who were responsible for data, those people needed to be educated
on data strategy. Ben Foat stated that legal professional privilege was
applicable to this area, and that the people who were managing this process
needed to be appropriately trained. Ben Foat would instigate an offline
conversation on this matter.
The Committee NOTED this update for onward submission to the Audit, Risk &
Compliance Committee (ARC)
MT
BF
Postmaster Remuneration — 3" Party Assurance
Tom Lee and Johann Appel introduced the paper, which had been circulated and
was taken as read. The following points were raised:
- Tom Lee stated that it had been decided to escalate work on Postmaster
Remuneration. It wasn’t yet clear how reliant the PO was on third party data
for information on postmaster remuneration at this stage, and this needed
investigating.
The Committee NOTED this update for onward submission to the Audit, Risk &
Compliance Committee (ARC)
Business Continuity Update (verbal)
Jonny Lonsdale delivered a verbal update on Business Continuity to the Board:
- Jonny Lonsdale stated that recovery times were currently being looked at to
ensure that the PO’s IT systems could support recovery times. It was also
important to ensure that third party recovery times were aligned with the
PO recovery times.
- It was agreed that Jonny Lonsdale would provide a paper on Business
Continuity for the 2021 November RCC and ARC meetings.
The Committee NOTED this update for onward submission to the Audit, Risk &
Compliance Committee (ARC)
It
Strictly Confidential Page 10 of 14
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
35 of 212
Tab 2.3 Draft Risk and Compliance
ommittee Minutes (14 September 2021)
8.2 Contract Management Framework Controls
Ben Foat and Sarah Gray introduced the paper, which had been circulated and was
taken as read. The following points were raised:
- Sarah Gray reported that good progress had been made on uploading
150,000 contracts onto Web3. Legal had run training on contract
management, and had improved the Web3 and eCAF user experience. It
was hard to get contract managers to comply with CMF, as there were no
consequences for non-compliance. Sarah suggested that ARC nominate a
contract manager, and have compliance with the contract management
process integrated into their objectives. The Chair recommended that this
action be taken to the GE first, and then to the ARC. Subject to approval at
GE of the proposal and appointment of the GE-1s per BU to ensure
compliance with CMF in their BU, Legal would provide lists to the nominated
GE-1 individuals.
The Committee raised the following points on the report:
- Helen Rhodes requested clarity on what the contract owner needed to be
responsible, and how this role linked into other functions. IT owned a lot of
contracts, because the budget sat with IT, and IT drove contracts with their
external parties. Helen wanted to be clear on the duality of the role of
business owners as well as function owners. Ben Foat stated that these
definitions were set out in the Contract Management Framework, which was
on the intranet. Sarah Gray would provide Helen with the extracts from the
Contracts Management Framework setting out the Contract Owners actions.
Ben suggested that the top contracts be targeted, and he and Sarah Gray
come back to this Committee and ARC on this.
- Johann Appel noted that it had been identified in the internal audit that
people were not always aware they were contract managers, and asked for
a list of the contracts and the owners that had been identified. Sarah Gray
would provide this to Johann. Sarah stated the Legal team had made good
UKG100044334
UKG100044334
SG/MB
AI/SG
SG
sG
BF/SG
sG
36 of 212
Strictly Confidential Page 11 of 14
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
Tab 2.3 Draft Risk and Compliance Committee Minutes (14 September 2021)
UKGI00044334
UKGI00044334
progress in rolling out the process to 80 contract managers, who had been
offered training every two weeks, and now every month. There was a lot of
support in place, so the priority was now on getting people to prioritise and
comply with good contract management.
The Committee NOTED this update for onward submission to the Audit, Risk &
Compliance Committee (ARC)
Whistleblowing Policy Interim Review
Victor Camara introduced the paper, which had been circulated and was taken as
read. The following points were made.
- Victor Camara noted that the Postmaster Support Guide had been updated
on whistleblowing, and that training had been provided to help Postmasters
identify reports for referral to the Whistleblowing team.
The Committee raised the following points on the report:
- Jeff Smyth asked about the reports relating to SmartIDs. Jonathan Hill
stated that the SmartID solutions were very effective, and the rules and
training given to the network was comprehensive.
The Committee NOTED this update for onward submission to the Audit, Risk &
Compliance Committee (ARC)
10.
Procurement
10. 1 - Procurement Governance and Compliance
Barbara Brannon introduced the paper, which had been circulated and was taken
as read. The following points were made:
- Barbara Brannon reported that the picture was improving, and that the risk
profile was down to £3m, and that what was left was very manageable.
- Barbara Brannon flagged the Camelot Cheque Clearing processing services,
a contract expiring in March 2022. A business decision had been taken to
bring a risk exception request to GE and Board in late autumn 2022. This
would also be raised at the 28 September 2021 ARC meeting, by which time
Procurement would know if the regulatory exemption could be relied upon.
10.2 - Bulk Cheque Clearing Account
Barbara Brannon introduced the paper, which had been circulated and was taken
as read. The following points were made:
- Barbara Brannon reported that the PO had a longstanding noncompliant
contract with Barclays for cheque clearing. POL had recently tendered the
Bulk Cheque Processing service, which had been won by Exela Technologies
Ltd. Barclays had also been in contention, but had declined to agree to PO
times. Exela were the more cost-effective option, but choosing them would
be a change of clearing bank. Barbara noted that Treasury policy stated that
approval of the new financial institution counterparties needed to be
provided by ARC and that financial institution counterparty limits need to be
provided by ARC.
- The Treasury had satisfied themselves that the PO had operational controls
in place. Exela would be notified that they were the preferred candidate and
the physical transfer would start in January 2022. There were also
obligations to notify the relevant banks, which the project team had
oversight of.
- Barbara Brannon confirmed that this matter would go to the 28 September
ARC regarding the governance around changing from Barclays to Exela.
Strictly Confidential Page 12 of 14
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
37 of 212
Tab 2.3 Draft Risk and Compliance Committee Minutes (14 September 2021)
UKG100044334
UKG100044334
Procurement would also negotiate on corporate banking with Barclays.
There was a conflict with Royal Mail, and this would also form part of
negotiations.
The Committee NOTED this update for onward submission to the Audit, Risk &
Compliance Committee (ARC)
11.
Post Office Insurance Mystery Shopping Proposal
Tan Holloway and Mark Harris introduced the paper, which had been circulated and
was taken as read. At the request of the POL ARC, POI had been considering how
to optimise the oversight of financial services within POL
The Committee raised the following points on the report:
- Jonathan Hill stated that he and Sarah Gray had completed an assessment
on the corporate approach and the risks that applied. Ben Foat
recommended that this paper be brought back to ARC in November 2021.
- The Chair asked Ian Holloway and Mark Harris how many branches they
thought should be selling POI products. Ian said that it depended on the
model that was operating. Introductions was a relatively effective model
that he thought everyone would benefit from, and the revenue that stemmed
from introductions. Travel was a mass market proposition. The sale of
protection within branches had moved downwards in recent times; it still had
a place within the distribution framework.
- Amanda Jones referred to the earlier discussion on dangerous goods and
compliance, and asked how POMs’ proposal demonstrated whether there
would be improvement in compliance. Ian Holloway stated at a micro level
improving compliance was about effective action plans, and at a macro level,
it was about aligning processes.
- The Chair stated that in terms of conflicted priorities, dangerous goods was
a higher priority, and he wasn’t sure if the network could embrace the
proposed plans with the amount of resources that were required; this needed
to be a point of consideration.
- Amanda Jones commented that the important takeaway was to balance
competing pressures with the value they brought. This needed to be overlaid
with the banking space; Amanda’s accountability was to drive remuneration
alongside compliance, so that the Postmasters earned more for their efforts.
Amanda didn’t disagree with the appetite or intent, but it was a matter of
deciding priorities.
The Committee NOTED this update for onward submission to the Audit, Risk &
Compliance Committee (ARC) in November 2021.
IH/MH/ED
12.
Policies for Approval
Jonathan Hill introduced the paper, which had been circulated and was taken as
read.
The Committee raised the following points on the report:
- The Chair commented on the recommendation of a full gap analysis by Peter
& Peters PY a lot of money was being spent on
these reviews at a time when the PO was challenged on resources and
priorities, and this needed to be given due consideration. Otherwise the
Chair had no further comments on the policies. Jonathan Hill agreed that
these updates were for clarification rather than on substantive changes.
38 of 212
Strictly Confidential Page 13 of 14
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
Tab 2.3 Draft Risk and Compliance Committee Minutes (14 September 2021)
UKGI00044334
UKGI00044334
JH
- Jonathan Hill confirmed that he would update the Committee when the one-
page summaries were available.
The following were APPROVED for onward submission to the ARC:
«Law Enforcement
« _HRMC Fit and Proper
13. Audit, Risk & Compliance Committee pre-meeting review
13.1 Agenda Tuesday 28 September 2021
The Committee agreed that:
- The Mails Deep Dive and Dangerous Goods Compliance Update would be MS/ AK
sent to the 28 September 2021 ARC meeting as an action update, with a
paper to come to the November 2021 RCC and ARC meetings.
- The Business Continuity Update would be presented as paper to the JL
November 2021 RCC and ARC meetings.
- The Post Office Insurance Mystery Shopping Proposal would be presented as IH/ MH
a paper to the November 2021 RCC and ARC meetings
The Chair requested Tom Lee to provide a summary on the 2021/22 Annual Report TK
and Account, explaining the PO’s process and timeline.
13.2 I Forward Plan (including Risk & Compliance Committee only items)
The Committee & ARC forward plan was NOTED.
14 I Any other Business
There was no other business.
Strictly Confidential Page 14 of 14
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
39 of 212
Tab 2.5 Mails Deep Dive and Dangerous Goods Compliance Action Update
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
., Mails Deep Dive and Dangerous Meeting th
I Title Goods Compliance Action Update Date: 28" September 2021
. Andy Kingham, Franchise . Amanda Jones, Retail and
I Author: Partnering Director Sponsor: Franchise Network Director
Input Sought: Noting
At the Post Office RCC on 14 September 2021, the RCC Chair asked for an action update on
Dangerous Goods Technical Improvements Horizon System Changes.
Dangerous Goods Technical Improvements Horizon System Changes
Phase 1 - Horizon menu-
based alternative to
Dangerous Goods laminate
The Horizon menu-based alternative to the manual
scanning of the dangerous goods laminate means that the
Dangerous Goods process is now integral to the Mails
transaction and forms a key part of the Mails conversation
with customers and is now system driven. This went live
successfully on 03/06/21, but the anticipated uplift in
overall mystery shopping performance has not materialised
as the biggest point of failure is still the failure to apply
labels, followed by the failure to ask clarifying questions.
That said, the latest mystery shop for P5, show
performance levels for Inland improving period by period
+6% (58%) and International +5% (80%).
Phase 2 - Automation of
restricted item label printing
A solution has been developed to enable the Horizon
system to print both the ID8000 and Lithium battery with
testing due to be carried out in the next 3 weeks. A trial to
measure the effectiveness of this change will be piloted in
circa 200 branches in October for go-live in early
November. The CAA are very supportive of this activity and
are pursuing the final approvals from their Policy unit to
support the changes to label sizing and design.
This will address our worst performing mystery shopping
scenarios where these labels are required for certain items
that are restricted. Whilst it is safe to assume that
automated printing will not guarantee that all labels would
be correctly applied, we estimate it would sufficiently close
the gap to give an improvement in the region of 30% on
current scores to over 80% compliance, this is because the
system would require the clerk to print the label as part of
the transaction as opposed to the current process where
the clerk is required to manually apply a pre-printed label
(Anticipated to go live early November 2021).
Phase 3 - Moving the
Dangerous Goods transaction
A quote has been received from our suppliers to move the
DG transaction start point to earlier in the Post Mail items
start point journey and is subject to appropriate finance approval.
Customer Self-Certification:
Confidential
40 of 212 Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
UKGI00044334
UKGI00044334
Tab 2.5 Mails Deep Dive and Dangerous Goods Compliance Action Update
leading to a requirement for customers to confirm the
contents of the parcel they are sending using Pin-Pad
devices for Mails items. Again, this system driven change
would ensure that they correct clarification is sought from
the customer as part of the transaction, as opposed to
being elective by the clerk. However, increased transaction
times because of this proposed change will need to be
signed off by senior stakeholders and the Postmaster
Remuneration team before development can commence.
(Anticipated to go live Q4/ 2021/22 or Qi 2022/23).
implement Phase 3
Mitigations if we cannot
We anticipate that Phase 2 system changes will address the
worst performing area when it comes to conformance to
process, taking mystery shopping pass rates to over 80%,
as the system will prompt the printing of the required
label.
After Phase 2 goes live and following on from the first two
months of mystery shopping results, there will be a full
review of progress so far including analysis of mystery
shopping results, including detailed root cause analysis and
review of training materials and all other activities to
ensure further improvement. We would also carry out
proactive interventions and training with branches where
there are still systemic failures identified by data.
What is
the current focus in the network?
Network activities
Since June of this year, and following on from the relaxation
of Covid measures, our Area Managers/Business Support
Managers have been focusing most of their time on mails,
supporting Postmasters to maximise the opportunity in
branch through the use of the correct Mails conversation
and sales processes/dangerous goods understanding as
part of the Make the Most of Post Campaign.
Branches are being supported as follows:
* Step 1 ran from 21st June to 15th August and saw
3139 branches visited and coached during this
period.
« Step 2 commenced on 16th August and finished on
11th September. 1130 branches were coached,
whilst selected branches from Phase 1 are also
revisited. Running alongside this, the field team will
be running five, twenty-minute bitesize capability
training sessions via Teams and in person to support
branches on Dangerous Goods and several other
mails topics, which will strengthen capability and
understanding of the importance of adhering to the
processes.
¢ Step 3 will see an additional c.3000 branch coached
between 13th September and 5th November.
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
41 of 212
UKGI00044334
UKGI00044334
Tab 2.5 Mails Deep Dive and Dangerous Goods Compliance Action Update
« Step 4 which takes place prior to peak (8th - 26th
November), where the team will visit remaining
branches and ensure that key mails branches are set
up for Christmas. In addition, all branches have been
issued with a Mails ‘Back to Basics’ coaching pack
which reaffirms the importance of following the
correct mails conversation and dangerous goods
process.
Conformance champions across each of the nine regions
continue to lead regular update sessions with their teams to
increase focus and awareness. Area Managers are
contacting their worst 20 branches based on zero laminate
scans or button presses from within the Dangerous Goods
transaction which highlights marginal/non-existent activity
at the counter. Further coaching of branches on how to
question customers on the contents of their items.
Contractual Intervention - Ongoing discussions are nearing
completion to agree and deploy a formal contractual
process that will be followed after interventions made by
Area Managers, should a branch continue to be non-
conformant. Where a branch has two consecutive mystery
shop failures, this will be escalated to a Contracts Advisor
who will issue a ‘written direction’ to the Postmaster.
Visit prioritisation - Since June of this year, Area Manager
visits are prioritised based on a number of metrics,
including data on Dangerous Goods process conformance.
This ensures that support is targeted at the right branches.
The year to date volume for the 2021/22 financial year, for
items intercepted by Royal Mail is 5654 vs 6825 last year
which (a decline of 17%). This represents 0.001% of our
total Parcels volume. Whilst any number of items
intercepted represents a customer detriment, current
volumes in comparison with overall volumes transacted are
negligible.
42 of 212
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
Tab 3.1 Risk Report & Dashboard
@
POST OFFICE LIMITED
AUDIT RISK & COMPLIANCE COMMITTEE REPORT
UKG100044334
UKG100044334
won . Meeting
Title: Risk Update Date: 28 September 2021
Author: I Mark Baldock, Head of Risk Sponsor: Al Cameron, Group CFO
Input Sought: Noting
This paper provides an overview of corporate risk activity undertaken over the last 2
months with particular focus on
. the work undertaken to further amalgamate/rationalise the top-down/bottom
risk assessments
. an update on the current status of our key critical risks (particularly those
outside of recently approved appetites)
. the work underway behind the scenes to implement a Governance, Risk &
Compliance (GRC) capability across the business.
Executive Summary
The ARC are asked to note
. Our key risks and what are we doing to improve our position
. The status of GRC implementation
. Next Steps
Mark Baldock
Head of Risk
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
43 of 212
Tab 3.1 Risk Report & Dashboard
44 of 212
Report
e What are our key risks and what are we doing to improve the position?
« What is the status of GRC implementation?
e What are Next Steps?
Context
1. At ARC in 7/2021 we presented a top-down view of the critical risks we faced, a
summary of what we are doing to mitigate them along with a bottom-up
perspective reported, every two months, through the Service Now Governance
Risk & Compliance (GRC) tool.
2. Since then we have further amalgamated/rationalised the top-down/bottom risk
assessments to increasingly get us to a ‘single source of truth’, updated the
current status of our key critical risks (with particular focus on those outside of
recently approved appetites!) and continued our work to implement a GRC
capability across the business. This paper provides a summary of our work
during this period.
The key risks
Commercial
3. At the last ARC we advised our key Commercial risks were
. a risk the Post Office market share in Parcels reduces because of increasing
competition from RMG and others (4:2). This was (4:3) in the last period.
. a risk the Post Office customer journeys and, as a result, client
arrangements become less competitively attractive over the next 5-10
years (4:4)
4. Commercial are to submit a ‘base’ strategic business plan for Board approval in
9-10/2021. It includes a review of key revenue drivers (i.e. Banking, Mails,,
Insurance and Travel Money) and the extent to which Bill payments can help
drive branch footfall. In this context these risks and their ratings remain broadly
unchanged. Key short term mitigations continue to be (as already reported) the
Amazon Trial, PUDO, BF3 and Drop & Go improvements. Ongoing positive
progress in these areas should see a reduction in the residual risk. Additional
risks of interest are given below.
RK0020822 - Long term Commercial sustainability of Post Office (4:3) (Appetite tbc)
5. There is a risk that Post Office does not find enough new commercial
opportunities to drive the ‘top line’ and Postmaster profitability. The recent
Board Strategy awayday (7/2021) confirmed the need to focus on core business
and minimise distractions. As such the Commercial strategy team are regularly
assessing opportunities to enhance our Core, simplify our business and improve
profitability. Recent examples include refreshing our Mails Strategy, reviewing
our Government Services contracts to assess which ones we should bid for, and
scanning the market for other commercial opportunities.
RK0020034 POI product sales below forecast (3:5) (Appetite tbc)
1 Note we are aware there were a number of risk appetite statements (RAS) approved in 2015. These will be
subject to further review. In the meantime we have focused on those RASs approved by ARC since 3/2021 (i.e.
Legal & Compliance, Operational and People). These provide a firmer baseline.
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
Tab 3.1 Risk Report & Dashboard
UKG100044334
UKG100044334
Because of the ongoing adverse impact of COVID-19 on the travel industry there
is a risk that POI product sales remain significantly below forecast resulting in
reduced revenue. Although a POI travel product is now back on sale significant
uncertainty remains within the market as to the form and rate of any recovery.
Given quarantine restrictions there is significant doubt that there will be a
significant number of travellers within the current financial year. It is too early to
see a change in the risk profile.
RK0020074 POI non-compliance with FCA General Insurance pricing measures (3:2)
(Appetite tbc)
7.
Because the market changes radically when the new FCA price walking regime
rules go live there is a risk POI is not ready or has misjudged the outcome. As
a consequence, it is unable to deliver on its five-year plan. This risk has been
formally reviewed and seen a material reduction in its risk rating from (5:3). In
terms of mitigation a POI Board sponsored Programme with supporting SteerCo
is well established and on track to deliver all required changes. The likelihood of
compliance is now extremely high. The key risk is how the market behaves in a
new pricing world and for that we maintain a cautious impact rating. We have
built market monitoring tools to ensure we are able to react nimbly on a
frequent basis to market movements.
RK0020744 (Low Value Non Round (LVNR) Transactions processed as Cash
Withdrawals) (3:4) (Appetite tbc)
8.
The Risk is that Postmasters could be processing POS transactions as Cash
withdrawals, against the explicit contractual terms agreed with the banks. This
risk was initially reported to ARC in 7/2021. At the time the risk was rated as
5:4 but has now reduced. In part this is because the industry now recognise this
is a wider issue than just Post Office and are therefore exploring an industry-
wide solution. An identical issue has been identified in the CWP trials indicating
that any retail third party channel could find ways to serve LVNR customers with
non-round amounts some of which are genuine, some of which could be
‘substitution’. Although a live issue the likelihood of specific action against the
Post Office is seen as receding.
RK0020764 (Post Office being challenged as 'Agent' for cash banking by FCA) (3:5)
ppetite tbc’
9. FCA has asked for clarification of our status as ‘agent’ (und:
ler _ Services
Regulations) and under which advice we made that choice.
NEW: RKO020961 (DVLA contract financial ratios) (Appetite tbc)
10.
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
45 of 212
Tab 3.1 Risk Report & Dashboard
UKG100044334
UKG100044334
NEW RKO0020975 Risk the travel market becomes increasingly digital, undermining
Post Office physical FX and limiting travel cross-sell (Appetite tbc
12. This risk has yet to be formally rated. The business view this as a potential
opportunity risk. This is because physical cash entities (such as FX) have seen
significant business pressures and these pressures have led to increased
business for us. As lockdown restrictions lift and more extensive travel emerges,
cross sales to Travel Money Card (digital) is increase, and cross sales of Travel
Insurance could present additional opportunities in sales and postmaster
renumeration. Further analysis of the market dynamic is required.
RK0020103 Management of commercial partnerships and supporting contracts (2:4)
Appetite tbc)
13. There is risk we are ineffective in the management of our commercial
partnerships and supporting contracts. If this risk materialises, we may suffer
from unsatisfactory performance, breach of material obligations, inefficiency,
poor value for money, fraud, and/or failure to meet business
requirements/objectives thereby adversely impacting revenues and resulting in
customer detriment and postmaster detriment.
14. The risk profile is gradually improving. Team in Commercial has been stood up.
A Commercial Head of Contract Management and Contract Manager have also
been appointed. The team will help Commercial understand its material
obligations and support contract owners with the management of their
commercial contracts.
Postmaster & Network
15. Since the last ARC much work has been undertaken to focus on the key risks in
this area such that we are able to secure the ongoing trust and engagement of
postmasters. Although significant progress has been made (such as a Suite of
new postmaster policies and supporting processes etc) inevitably this has yet to
fully embed and be overtly recognised by the Postmaster community. It will be a
slow process to fully mitigate risks in this area and will need underpinning by a
new postmaster engagement model. Key risks outside the recent ARC approved
operational appetite are given below.
RK0020055 Postmaster proposition not profitable (3:4) (just outside of Averse
2
16. Our complex systems and products require dedicated staffing (and staff costs
have increased while remuneration has reduced). The is a risk our retail value
proposition is not profitable enough to sustain Postmasters' business. Mitigations
include reducing postmaster staff costs through process improvements and
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
Tab 3.1 Risk Report & Dashboard
automation of mails & banking, introducing simpler propositions, exiting
branches which do not have the conditions for long-term viability, increasing
remuneration (including our short-term response to the MDA2 consultation) and
increasing top line growth for postmasters. Our Mails Strategy paper set out the
options for strengthening our position in the value chain as the market moves
online. We are currently working with the COO to articulate specific risks around
the mains/locals remuneration differential.
RK0020632 Postmasters lose faith in our ability to change (4:2) (just outside of
Averse appetite
17.
If we fail to listen and acting on feedback from Postmasters, there is a risk we
cannot reset the relationship and put them at the heart of our business. Key
mitigations already implemented include Adopt an Area, a formal complaint
process (with in-depth reviews to give insight and take action through monthly
‘Voice of the Postmaster’ meetings), co-creation sessions following the
consultation and the recent appointment of a Postmaster Director. Future actions
include new engagement model for both strategic partners and Postmasters for
implementation in Q4 2021/22 and a pulse survey of postmasters around
10/2021.
RK0020578 Lack of insight into how to support branches (3:2) (just outside of Averse
Appetite
18.
Because reporting functions are underdeveloped and under resourced and suffer
challenges around the collation and understanding of making data visible, there
is a risk that there is not enough insight to allow us to support our branches
optimally. The Data Platform should clearly improve the ability to access data
held on individual branches and Postmasters and in turn improve insights on
how to best proactively support Postmasters. ‘Branch Performance’ on Branch
Hub is planned to be rolled out to all branches by 1/2022 ensuring that all
branches have the same information available to them directly.
RK0020593 Fail to support new agents (3:2) (just outside of Averse Appetite:
19.
Because running a Post Office branch requires understanding of a complex
product suite and EPOS there is a risk of insufficient lack of training, and support
for newer agents. In line with taking forward a range of Deloitte
recommendations (overseen by the IDG) we have recently introduced a high
level visual timeline for all potential new postmasters across all journey types
(including Strategic Partners) to manage expectations from the commencement
of onboarding. We have also implemented a number of financial assessment
changes (including the offer of a consultation meeting for a prospective
postmaster). Finally, we are trialling a two-step application process which allows
for an initial ‘Agreement in Principal’ decision. Evidence is the average E2E
onboarding timeline has reduced from 9 (2 years ago) to 5 months (currently).
Financial
20.
The key financial risks remain relatively stable. Long-term mitigations continue
to be around securing the requisite funding for 2022/25. We await the outcome
of the CSR submitted in 8/2021. This is expected in 11/2021 and assume it will
cover a 3-4 year planning horizon. The key risks (listed below) are unlikely to
see a material reduction until the CSR outcome is known and begins to be
implemented.
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
47 of 212
UKG100044334
UKG100044334
Tab 3.1 Risk Report & Dashboard
48 of 212
RK0020059 Lack of funding (5:3) (Appetite tbc)
21. As Post Office is heavily dependent on government funding there is a risk that
we are not provided with sufficient funding (investment funding and Network
Subsidy) to cover investment plans and other activities.
RK0020060 HMG do not pay balance of HSS claims (3:5) (Appetite tbc)
22. Risk that HMG do not pay the balance of HSS claims and all of the post-criminal
settlements, and workers’ rights impacts, including malicious prosecution claims
as required.
RK0020524 Net Liabilities (4:4) (Appetite thc)
23. Risk that we may enter a position of Net Liabilities which may trigger a number
of events such as default on commercial agreements and funding arrangements.
Legal
24. At the last ARC we reported our 2 primary legal risks were around (i) Post Office
contractual breach, Postmaster detriment and/or reputational damage in the
event we do not conform with the CIJ and HIJ judgements and (ii) a risk we
could be faced with new legal risks and increased costs in the event the HSS is
not delivered satisfactorily. These risks remain and clearly will not be fully
mitigated in the short-term.
25. We should note 3 key legal risks are outside of the ARC approved appetite.
RK0020101 (3:5)? (outside Cautious Appetite)
RK0020092 Anti-Money Laundering non-compliance (2:3) (just outside Averse
appetite
26. The residual rating is driven primary by risks associated with high levels of SARs
and investigation levels impacting team resource, and the relative low
completion of mandatory compliance training. In terms of mitigation additional
resource was secured in 8/2021 and further recruitment is underway to replace
recent FCT departures. SARs volumes, although high, have levelled off in recent
months. AML mandatory training completion were recently at 94.50%. HR are
chasing those that have yet to complete, including automated reminders sent to
contractors.
RK0020086 Competition Law - Adverse findings from Competition Act investigation
(2:3) (just outside Averse appetite)
27. There is a risk if we fail to comply with competition law regulators could
investigate or competitors successfully challenge such behaviour resulting in
regulatory sanctions, severe penalties of up to 10% turnover, financial and
reputational damage. Legal have commenced a Competition Compliance
Programme in Q4 2020/21 which will run throughout 2021/22. The first stage is
assessing where competition risks lie within the business via structured
questionnaire interviews with senior staff responsible for key business areas.
HMU
28. In light of announcements around HMU General Counsel has recently
commissioned work on both HMU and the Public Inquiry to clarify (among a
? Legally privileged — see Appendix B
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
Tab 3.1 Risk Report & Dashboard
UKG100044334
UKG100044334
number of elements) the long-term organisational structure required, the
associated funding & budget and the perceived barriers to success and their
mitigation. We will be looking for all HMU risks to be reviewed as part of this. In
the meantime the key risks reported in this area remain as follows.
RK0020066 Histori
31.
I Matters overturned convictions (3:5) (Appetite tbc
Because of ongoing Group Litigation actions the Post Office is perceived as
dishonest, disrespectful or incompetent in its dealings with its employees,
Agents, partners and/or customers which leads to loss of sales and and/or
increased costs through fines and legal fees.
RK0020634 Historical Matters Scheme Independence (4:3) (Appetite tbc)
32.
Because of UKGI/BEIS seeking involvement at various stages of the Historical
Shortfall Scheme settlement process there is a risk that the Scheme may be
seen to less impartial than originally envisaged due to shareholder involvement
and perceived undue influence at governance meetings. The interaction between
Post Office and Shareholders (UKGI & BEIS) is documented within an Operations
Agreement. Regular monitoring meetings in place with UKGI/BEIS and an
Independent advisory panel has been in place since 9/2020.
Technology
33.
At the last ARC we reported our 2 key IT risks were around (i) Post Office failing
to replace Horizon or will only do with material uncertainty for Postmasters and
(i) our system security, resilience and disaster recovery is inadequate. These
risks remain. It is also important to note the delivery of Belfast Exit along with
SPM are our key IT priorities such that the overall risk profile should be viewed
in this context.
RK0020695 Historical Matters Horizon Implementing Changes (3:3) (Appetite tbc)
34.
To fully mitigate this risk will clearly take time. However the risk profile has
begun to see some incremental improvements. Although the long-term
mitigation remains the SPM programme steady progress has been made in
recent months. The multi-year business case has been completed and approved
by the Board. Technology delivery is on track for an MVP enabling a first live
branch in late 9/2021 with a further 100 locations potentially opened by end of
12/2021. Key experienced internal resource has also been secured including a
Test & release manager, contract manager and chief IT architect. Additional IT
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
Tab 3.1 Risk Report & Dashboard
50 of 212
35.
controls also being introduced to manage the development and testing of
changes utilising this method. 57 controls (recommended by KPMG) are now live
and going through formal attestation.
As previously reported key challenges remain around insufficient knowledge of
key core processes, technical assurance bandwidth and competing pressures for
senior management focus.
RK0020672/RK0020673/RK0020077 End of Life Technology (Computacenter,
Accenture and Fujitsu) (Various) (Appetite tbc)
36.
37.
38.
39.
We are also managing a suite of risks around operating with End of Life
technology.
The risk around Computacenter support (3:4) has slightly reduced. It is being
mitigated, in part, by the recent EUC procurement exercise which resulted in
DXC being awarded the £7.23m contract, albeit delivery is not scheduled for
completion until 6/2023. The programme has been provided with a £1.25m
drawdown for delivery through to 1/2022 when the next drawdown will be
finalised (firming up TUPE costs).
The risk of unsupported IT services within Accenture's environment (3:4) has
also reduced by Accenture’s extended support not ending until 12/2021. Given
this a decision on upgrading Credence/MDM will be informed by the Data
Platform Proof of Concept scheduled over the next couple of months.
Finally, the risk profile of unsupported IT services within Fujitsu's environment
(5:2) has also seen a slight reduction. The Fujitsu contract has been extended
to 2023 and work continues a pace re AWS Cloud migration.
RK0020090 Inadequate BC/DR arrangements (3:4) (Appetite tbc)
40.
The risk profile has improved since the last reporting period. A comprehensive
set of DR tests are now currently underway with all suppliers (where technically
possible). In particular the Accenture Back Office finance test was completed
successfully in 3/2021, a successful Verizon failover exercise (from the Primary
to Secondary Data Centres) took place in 8/2021 and a Fujitsu failover exercise
is scheduled for 10/2021. A decision is still required on a Computacenter failover
test given the EUC contract has just been awarded to DXC. One option is to
undertake the test with the former (but this may not be cost effective) or
reschedule the test for when DXC take over the service (but this will be long-
term).
Strategy & Change
41.
These concern risks around the Post Office’s Strategy proving ill-defined,
unaligned to the interest of its key stakeholder(s) or not easily adaptable to the
macro-environment.
RK0020061 Strategic non-alignment of Change Portfolio (3:4) (Appetite tbc)
42.
Although our strategic vision is clear there is a risk our change portfolio could be
become unaligned in the short, medium and longer term because of the need to
restack the portfolio to allow prioritisation around Belfast Exit and SPM. We are
working hard with the business to appraise how appropriately focused the
change portfolio is, and the level of comfort among senior management around
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
Tab 3.1 Risk Report & Dashboard
whether our investments are likely to deliver the desired key corporate
outcomes.
RK0020049 Strategy to slow to adapt to volatile macro-environment (3:4) (Appetite
tbc)
43.
As a result of a potential lack of capability our Strategy may prove too slow to
deliver slow or unable to adapt when conditions in its markets or the wider
macroeconomic environment change. This risk will be further reviewed in
12/2021 following Board discussions on strategy etc. In the meantime the
Strategic Portfolio Office are ensuring change activities build in flexibility,
particularly where market dynamics are more likely to shift. Greater scrutiny is
also being applied to investment rationale to ensure the current market
environment for the specific activity is considered. Plans are being put in place to
empower project governance to take difficult decisions if, at a given moment, a
project needs to pivot, pause or stop. At this point the associated Portfolio
Prioritisation internal controls have been attested as effective and in a compliant
state.
People
44.
As advised previously our key strategy is to have fewer, better people able to
deliver the strategic needs of the business. In light of this Group People have
reviewed all their risks which now form the new baseline against which future
progress will be tracked. The key risks are given below.
RK0020068 Culture/Ways of Working Misalignment (3:4) (Outside of Averse Appetite)
45.
Our new Ways of Working need to be embedded so that they contribute to us
achieving our cultural ambition of being a successful retail franchise business
that is truly postmaster centric. Short-medium term mitigations include the
Board, GE and Senior Leadership Group proactive adoption of ways of working
and the creation of an implementation plan for the Service Culture.
RK0020651 People Shared Service Centre (PSSC) Processes (3:4) (Outside of Averse
appetite
46.
We need to have clear processes (and use of Technology) that line managers,
employees and stakeholders can use so that appropriate changes are made to
employee data, payments are correctly processed and contractual changes are
all made in a timely manner according to regulations and our policies. Short-
medium term mitigations include an organisational review of end to end
processes, the establishment of a PSSC Process Improvement project, the
development of a long term technology plan for People processes that enables
greater self-service and end-to-end case management.
GRC implementation
47.
48.
We continue to implement a corporate GRC approach (and supporting tool).
Since the last ARC we have continued the rollout of risk and control
management capability beyond Central Risk to Business Unit Heads and
individual Risk Owners
107 Risk Users are now live on the platform across Central Risk, Commercial,
SPO, Technology, Retail Franchise and some elements of HR. Remaining
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
51 of 212
Tab 3.1 Risk Report & Dashboard
49.
50.
51.
business areas deploying in 9/2021 and 10/2021 include Finance and Group
General Counsel (which now includes HMU).
Finance, IT and SPO Policy & Compliance Management (Controls) are also live.
129 Compliance Users can now access their controls directly on the system. 42
SPO risks & controls have been mapped on-line and 57 IT Controls and 143
Risks mapped offline. Initial control attestations have been completed and, to
date, positive user feedback received.
Vendor Risk Management (VRM), the final rollout component, is expected to go-
live in early 11/2021 after completion of the necessary configuration. This will
allow the GRC project to formally close and transition to BAU.
Initial feedback is broadly positive but ongoing and intense work by Central Risk
is required to fully embed the new ways of working to ensure this new approach
is seen as of direct benefit to the business rather than simply an administrative
burden. There are challenges here, particularly around maintaining proactive risk
ownership, data quality and putting in place enduring governance. An Internal
Audit review of GRC implementation currently underway is a key input into this
debate.
Next Steps
52.
52 of 212
Key milestones over the next 2 months include:
. completing the alignment of the top-down and bottom-up risk assessments
- from 9/2021
. putting in place a rolling programme for further ARC deep-dives - from
9/2021
. completion of GRC deployment into Business and project closure - by
11/2021
* completion of migration of Finance, Strategic Portfolio Office and IT controls
onto GRC platform and link these controls to associated risks for the first
time - by 10/2021
Mark Baldock
Head of Risk
Appendix A: Post Office key risk assessment summary
Appendix B: Legally Privileged extract
10
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
UKG100044334
UKG100044334
1Z/60/82-2eyuWED eoUEI!dWOD ® SRY "YPN - PANT GoW S04
zizsoes
Appendix A: Post Office key risks assessment summary
Toa bent comer on he re uno Oreo
I mm develpanss, asses appertuntcs to enone Core, seply business and enprove
Feta tk eae, sono Gove no Secs com aus Son mat
iAP asa ew OST ENE SHER, AT ST pT
sxa020054 I 12 I POL sroduet sles betow forecost : Somat sect overtones win ie rit oe xm ae oy
1 accvory Canteen doe tore i a Sanears neo of avale’s ihn tana
ro be feel edited
sxoozosz2 I 11 I Long term Commercal sutaabiey of Post Ofice
pseoqyseg 2 Hodey ysty LE GEL
EE II OAc talon
sxoozeies I 12 I narperet comer permet ad mpage
ening _the structure of and volumes in the cash market wild rane
PORES jae ceporantis i
‘Rk0020075 i er Stina ean is oredacts und services oe io comple ERE YI Amazon Trial anc PUbO, BFS
Sicisirisctecad a
<a SIEGE ICI
ar aes RR TT ER a Sar Ta
TB ora li a 3 Fr cn wea esi TS Ro
ar aan ta aretha sete
Sa eae ae ee ee arias wear
sewer 9 noe ie appa snterents (RAS) approved in 2015, These wil be snc to fther review Inthe meats we have focvead on those RASS appOWed by ARC since 3/2021 (Le Legal & Complance, Operator
‘and People). These prove a rer baseline.
Confidential
21210 +9
1Z/60/82-2eyuWED eoUEI!dWOD ® SRY "YPN - PANT GoW S04
UKGI00044334
UKG100044334
inc tat the Post OMe o ft Pave accesso cata fo under stan
{foun af wnt ener ants be cen cer eee
ES
‘aye Soper 7/2021 wil orm sunseauers mgeons =
Conroe Frariewark Prove an ain davloped bik Gncery wth LT fading Ri profile under
oad I x I mathe oat one conto envrnmert dente
pena sy Carrie cons neue o Sevan
Ted I — py I eta i as rae ce me a ve tae Oger Sa oy. AS HE DG TEE, ORE
sensi facie rag loan, opraonasly at ct reais ove
PI hs tee SEA ede es od eee pate
Sond I ay I Re th OE BaD ROE WT OTS =" Ra
estos [Fi Ra Sa Oy a
Goad I Tract tore Ot and soe Dt ek a
Upesd I 1 [ma te rot cn dows ot econ cron erase auc enough Te I Cu oc oresence reins a une, Portntion f Say al vehides?
axoozm0s0 I Th I HNG dot pay balance of 55 clans Tee ea] sn as rag ccsso Corgi oy rede args Pt, wg Tre FP
EE sn deg a cer
acezoossI — ri — [ack ortuning we Son-24 funn daasson Sng PII Sve Bn FPO PORTO
Stemsoser-I Hi runner The
uoozori2 I 11 I rate to compete restr of cot bate ee «II tne hat sree thes las dt preted a pet,
skool) T. [tego Privileged
a
sucoroses I 11 I pot ores no-conlan wh eg and equto reer : i ss ‘mas Lc heey ean
f = ‘errno 08021 Pray sabe hag spore he
aor dtcd eal ees conta Nenana aie Wa tcc
tr tres cmp» pet fas Soe Ried W mage ea lbh
wonzmoey I a I enolase comers, elon & enn Ln ce na eas teeny eres and
Eaciatisheains Es comm rage ey ave wo easy moves nas oN wr ee
— RSS = REE TORT COST FE 2 Cen anatanee op SNe OMRON GT TORTEL, Wim ORO
‘fK9020086 = snvestigation (2:3) 2028/22,
axoaseoe9I SSE hoa ra Tee
axaoaeesg I — Tt —[ woes tart annie cians ORCL Tee Tien aa Ra RE aae ae aa
peat I 11 [ma tha the HS ofr ar ot acete y Poses 86 Ie I we [cents [ess
wagestsoz_I — Ti — [artsy Ladeing soca cc
in es ot URES saree Sas
nuzozcese I 71 I etre ster seme nde tte Kprearen cach omnes fone sina al pote a ne po
_I eaters mSe wn USS nacre ory an heh
priced
ot Se eae Palen
vps Init ev be est ond rt crf wb ne Fo icra wt trcugh wont voce ef he Fnac’ cing) ano cocseson setae
aren I m1 I fiat ees cero rer cna ey we I io ine coaattion Rte eos te row segue pee ah eae
‘estan danmert so eptors damage SPIE parece sa oracinn cr nparvocson G0 BODES ee pain of
Thenenoe pores autagete ureter te CREE
wows Ig ra ofa eke Suse WA Pt we cz0 raat
pena ‘ie wric undermines Rs stealer poston and isdn ae II fo cares or tunced generat brand support
fanaa ea i
tile eye he ay GC ee wR TR nT See
wont I any cura Danese pes tee
= Se wer ears paedng enna oe core
apa Piven oe Aan
Confidential
pseoqyseg 2 Hodey ysty LE GEL
1Z/60/82-2eyuWED eoUEI!dWOD ® SRY "YPN - PANT GoW S04
zizsoss
UKGI00044334
UKG100044334
inc thot te Pot OM Network charges uncerrine external Bent
sending I ™? _ I inmesocat promise Be I the I stable I neonce Srateay, Hare To Mace Brencnes, DI programme
oT cca Te] ne pea.
i Post Office brand Is dam iy NT Progr
uptoad I za. I Inectvly pectioned ora ted coc tat Poctstar sorernet ‘we
Eo perenne
aS ee aan a a ET
rrowoit I 1 I necator adnate ts De Ps Sere ae teas re ee ay
See See Stems ey Te ae ees
“280020672 ™ End of Le Technology-Comput ee drawcoer fearyovough to "1/2022 when the nett drawdown wl De
Spree cee reste tereoacet area Se eee,
Sica tae meare RT egeramn aT a
pencing anclucing legac ane cooaealy ett Saye, u
eS eee = Spee Pl NOT GE OT TTT, TOT BT ET
sxoor000s I 12 I eybertteote to Post orc managed Systeme the By Kom were rise. Orurston develope: ates tobe areste sec aty
Se ee
weomone I Ie eranr mad Pay rapa Pere Ser casedas oie ae
: Sane Es ct oss owt sm
2
Contin
pseoqyseg 2 Hodey ysty LE GEL
ziz 4095
Lz160/82-eomtuMog eouer\duod = ¥SIY ‘PNY - PAIN eWO 104
UKGI00044334
UKGI00044334
read tes cipwncesseajsana tate cone guns ee with AWS in ve 2020, Stand model fice courtr tena
lesrarcouicnsnoc i
axoo2ons: I 11 I siraepe non-tnment ot Crange Portola se I mo] we on
axoozose? I 12 enton eros 6 Gece I”
axoo2c220 I 12_I Talent Cevelooment wa I 9) ae I cocina. too’ are avavale for alee ole, Ful review oF Remare and Recognition
koo20s83 I 12 I Culure not Diverse & Inesive oy = I Goosen, the Senior Leadership Action
Appendix B: Legally privileged extract
Confidential
preoquseg 2 voday snd Le ae
Tab 3.2 Compliance Update
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
UKGI00044334
UKG100044334
Title: Compliance Report Meeti 28" September 2021
Date:
Author: Jonathan Hill, Director, Compliance I Sponsor: Ben Foat, Group General Counsel
Input Sought: Noting & Decision
The Committee is asked to:
1. note the Compliance update.
2. The Committee is asked to note the latest position in respect of the FCA’s view of Post
Office’s regulatory status for Banking Services. It is likely that we will need to engage
external counsel and our stakeholders when the FCA sets out its position in detail.
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
57 of 212
UKG100044334
UKG100044334
Tab 3.2 Compliance Update
Compliance
58 of 212
Controls Framework
1.
We are re-initiating the Controls project that was put on hold earlier in 2021. This will be
rolled out on a modular basis, starting with key risk areas, using/testing the Controls
Framework and developing a Controls tool within ServiceNow that will support all areas in
Post Office.
Together with the Service & Support Team we are developing operational controls focusing
on Postmaster Service and Support. A business case is due to be submitted shortly.
Subject to each area completing individual business cases it is proposed that this will be
followed by Mails, IT, and Data.
It is anticipated that this controls work will take circa 2 -3 years to implement across all
of Post Office.
Data Protection and Information Rights
Data Protection Breach (August 2021
5.
An initial breach notification has been reported to the Information Commissioner's Office
(ICO) relating to a lost ex-employee’s HR file, which was requested by the Criminal Cases
Review Commission (CCRC). Following the initial notification (which has to be made within
72 hours of the incident being identified) we believe the risk of action from the ICO has
considerably diminished.
Data Management - Remote Location / Back Office and Oasis Searches
6. A project ran in conjunction with Legal, the Historical Matters Unit and Compliance has
been progressing since Q3 2020.
7. This work is now completed for the Criminal Cases Review Commission (CCRC), the Post-
Conviction Disclosure Exercise (PCDE) and Starling.
8. Analysis has now been completed for applicability for applicants to the Historical Shortfall
Scheme (HSS). The Historical Matters Committee (HMC) agreed that work should be
progressed to identify and record the contents of the unindexed records. This included
completing a proof of concept exercise which has not yet taken place as resources have
not yet been identified and approved by the HMC.
Cookies
9. Post Office’s position has always been to maintain a 'middle of the pack’ approach.
However, given heightened scrutiny and more businesses introducing tighter controls, the
business recently implemented a fully compliant solution with all cookies set to “off” and
stricter controls on the use of social media/marketing cookies. HMG is considering a
change to the Cookie legislation which Compliance, Legal and the Digital team will continue
to monitor and propose any changes that may be required.
Freedom of Information Requests
10.
As a direct result of the GLO, HSS, the public inquiry and other high profile initiatives, the
team are continuing to see an increase in the number and complexity of Freedom of
Information requests compared to 2020. There is a balancing act between transparency
and protecting Post Office’s commercial and legal interests. It is clear that there are a
number of special interest groups who make co-ordinated requests and this requires
careful management.
Freedom of Information Requests
Time period FOI Internal Review ICO Appeal Total Requests
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
Tab 3.2 Compliance Update
July - 13% Aug 28 1 1 30
2021
2021 YTD 166 8 2 176
2020 YTD 77 4 0 81
11. Compliance and Legal meet on a weekly basis with internal and external counsel to ensure
that any proposed release of information is in line with information released to the Inquiry
and to responses made for similar requests by BEIS/UKGI.
12. Any information to be published is subject to internal governance procedures with a
proposal to make all disclosure working with the Scheme Decision Forum (SDF). The Data
Protection Officer is currently working with the SDF to build this into their weekly agenda.
Financial Crime
Compliance with Money Laundering Regulations
13. HMRC advised via e-mail in July that the supervisor assigned to Post Office was going on
ileave, and a new supervisor was taking over with immediate effect. Contact
details have been provided to the new supervisor, but to date no contact has been made
by them, nor any request for a meeting with Post Office.
14. There have been issues in the last 2 months with the production of the monthly agent Fit
& Proper data for HMRC - manual workarounds are in place and Accenture are working
ona fix. Data anomalies have also been identified in premises registration data, but many
of these appear to be down to manual input error by HMRC and we are working with them
to resolve. Once the data held by Post Office and HMRC has been understood, HMRC have
agreed to accept a full cut of data from Post Office to re-baseline the data in their system.
15. Suspicious Activity Reports (SARs) have continued to rise compared to last year, with
1766 received and raised between 9th June and 13th August 2021 (1175 in the same
period last year), however, over the last 3-4 months the level of the rise has stabilised.
There has been an increase in the level of internal SARs raised following investigation into
high value banking deposit cases, along with suspicious activity identified from bureau
transaction monitoring, particularly as travel restrictions are starting to ease. Although
we received a spike in SAR reports from the network in June, most likely due to them
completing their annual AML training in May, we identified a significant reduction in July
and have issued reminder comms via the Area Managers to encourage reporting. The
additional FTC PO role in Chesterfield has now been filled and the individual started in
August.
16. In this same period, there were 221 Financial Crime investigations (compared to 207 in
the same period last year). The majority of cases relate to bureau transaction monitoring,
however, we continue to see multiple complex investigations concerning high value
suspicious cash deposits which originate from referrals from the banks and cash centres.
17. Several Law Enforcement (LE) activities have been supported:
+ We provided intel to West Midlands Police concerning three subjects depositing large
volumes of cash at branches in Birmingham - c.£12m was deposited at 17 branches
in c.11 months. Following police surveillance and intelligence provided by us, these
individuals have been linked to one of the main crime gangs operating in West
3
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 59 of 212
UKG100044334
UKG100044334
Tab 3.2 Compliance Update
60 of 212
Midlands. We > have been advised three individuals have been arrested and £100k has
been seized.
* Ongoing support has been provided for an operation in North London relating to high
value cash deposits. CCTV has identified a suspect depositing high value cash deposits
onto multiple cards, operated by a single bank who it is believed is linked to an
Organised Crime Gang. While reviewing CCTV at one branch, we identified a number
of mails non-conformance and security breaches. A branch visit is being completed by
the Area Manager and Security Manager in order to address these issues and mitigate
further risk to the Post Office.
+ We are currently working with the South West Regional Organised Crime Unit
concerning SARs we submitted relating to high value cash deposits at multiple
branches in the Gloucester and Bristol. They have identified 13 potential suspects
who they believe are linked to drugs and money laundering and are in the process of
completing surveillance on these suspects.
18. We continue to support industry National Economic Crime Centre initiatives to reduce the
money laundering threat risk from cash-based transactions and meet regularly with banks
within the Banking Framework. The FCA visited the model office in August to increase
their understanding of how cash deposits are accepted in Post Office as part of the work
they are doing with the banks to identify ways to tighten controls around cash deposits.
19. We continue to see reports of fraud via digital vouchers (Google Play and Amazon), and
these are shared with the Product team. The Product Team is investigating the
implementation of a £300 transactional limit. Whilst current fraud reports have reduced
recently, it is believed that without implementation of a transactional limit cases of fraud
will continue and/or increase again.
Anti-Bribery and Corruption (“ABC”) update
20. Annual ABC Compliance training has been being rolled out with a closure date of 27"
September.
Whistleblowing Update
21. Please see the separate Whistleblowing Report
External Threats
22. Weare still awaiting the outcome of the Economic Crime Levy Consultation that Post Office
responded to in October 2020 - the Government website has not been updated since the
consultation closed.
23. HMT have published a consultation into proposed amendments to the Money Laundering
Regulations and a call for evidence to review the UK’s AML/CTF regulation and supervisory
regime. Proposed amendments that may impact Post Office are related to the SARs
regime, information sharing and the treatment of Bill Payment providers. There is a
common view that the mandatory requirements in the MLR demand too much time from
relevant entities, such that the other activities which can actually contribute more
meaningfully to the fight do not get as much resource as they need. As a result part of
the call for evidence will look at whether a significant proportion of resource generally is
used on activities which make a limited contribution to the objectives - and this will
include, for example, the indirect contribution to the objectives for the fit and proper test
for those who run money services businesses. Work has commenced in reviewing the
proposals and call for evidence - responses are required by 14th October.
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
Tab 3.2 Compliance Update
24. Brexit t and AML/CFT - Industry reports state that there are no o formally defined or concrete
mechanisms in place to facilitate cooperation between the UK and EU, which impacts client
onboarding, sanctions implementation, intelligence sharing and other law enforcement
coordination. The Political Declaration issued in October 2019 states that the future EU
and UK relationship should include arrangements for cooperation in data sharing, law
enforcement and judicial criminal matters, and AML/ CTF. And while a very high-level
agreement was made to “go beyond” FATF standards, particularly around beneficial
ownership transparency and virtual assets, detail is lacking.
Supply Chain Compliance
25. Two NCS assurance visits in Cash Centres and one Depot assurance visit were completed
in the period (London CViT, London and Birmingham NSC Cash Centre sites), 4
improvement needs identified in line with the average, and no critical issues identified.
26. A review of Licence management identified the Cyber Essentials certificate is out of date
(this was delayed due to lockdown). This must be completed before the external audit on
4" October as this is a gateway to operating the licence management scheme that Supply
Chain rely on to ensure they have sufficient resource. Post Office Cyber Security expect
the licence to be in place before the end of September.
27. A recent unannounced visit by the Bank of England to London Cash Centre identified an
issue with vault access. An engineer attended site on 7 August 2021 to upgrade the
vault to dual access and the Bank of England have confirmed they consider the action
meets their requirements.
Financial Services
Compliance Monitoring
28. FS Mystery shopping continued through June and July across the network FS portfolio.
29. The key area of weakness identified relates to Travel Insurance sales (36% red in Q1)
where branches were not following the approved sales processes. This is important
because (i) we must demonstrate an FCA compliant process to our Principal and (ii) in
some circumstances this could impact on the customer’s insurance cover.
30. Travel Insurance in branches has been ‘on and off’ sale throughout covid reducing branch
knowledge and confidence and feedback from the mystery shops is showing that branches
appear to be reluctant to talk to customers about Travel Insurance, with some actively
telling branches that the product is off sale.
31. The Conduct Compliance team will be reviewing the quality of the Area Manager’s
development plans particularly where branches are graded red and providing feedback if
further action should be taken. Quality checks on a 10% sample of Amber, Green and NA
shops will be completed, we will aim to spread this out across the regions. There are also
some branches (mainly DMB) that demonstrate good conformance with best practice
experience that can be shared.
32. Ultimately for those branches where, with additional support, we cannot improve
conformance we will need to consider- together with the Principal- withdrawing the
product from those branches.
Mails/Dangerous Goods Shopping
33. The Compliance team does not currently provide oversight of this area but for
completeness this information has been provided by the Network lead team/Mails team.
(Awaiting info and actions from mails product team)
FS Key Regulatory update - Banking Framework and FCA
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 61 of 212
UKG100044334
UKG100044334
43. The Overall Compliance Dashboards (Appendices 1 and 2) are included in the reading
room as well as an overview of other future FS developments (Appendix 3).
Confidential
Office Limited - Audit, Risk & Complians
UKG100044334
UKG100044334
Tab 3.2 Compliance Update
@
Appendices
Compliance Dashboard Front Page
Compliance Dashboard Back Page
Financial Services Regulatory Calendar
Group Key Policy Dashboard
Postmaster Support Policies Dashboard
yaPwne
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 63 of 212
Tab 3.3 Internal Audit Update
@
POST OFFICE LIMITED
AUDIT, RISK AND COMPLIANCE COMMITTEE REPORT
UKG100044334
UKG100044334
Title:
Internal Audit Report
Meeting Date:
28" September 2021
Author:
Johann Appel: Head of Internal Audit
Sponsor:
Al Cameron: CFO
Input Sought: Noting
The Committee is asked to:
1. Note the progress being made with delivery of the internal audit programme and
completion of audit actions;
2. Note the proposed changes to the internal audit programme for the remainder of 2021/22.
Previous Governance Oversight:
September Risk and Compliance Committee.
Executive Summary
This paper provides a summary of the latest internal audit position for 2021/22 and an
overview of the proposed changes to the 2021/22 internal audit programme.
Confidential
64 of 212
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
Tab 3.3 Internal Audit Update
®
The Report
Progress against plan 2021/22
1. Delivery of the 2021/22 programme is making good progress. Five audits were
completed in the current reporting cycle (4 POL and 1 POI).
2. The current status of the 2021/22 plan is as follows:
POL Internal Audit Plan 21/22 POI Internal Audit Plan 21/22
Status: Total Audits = 30 “ Status: Total Audits = 6 @
= Completed » Reporting = Fieldwork
. = Completed Not started
= Planning Not started
O\Target number of reviews based on revised plan for 2021/22 approved by ARC (22 Internal control reviews & & change assurance reviews).
Details of the audit plan status are included in the reading room (Appendix 1),
POI ARC approved baseline plan for 2021/22.
3. The following audits are underway or being planned for delivery in Q3:
Review GE Sponsor Timing
1 I CFS Application Controls Al Cameron July
2. I Effectiveness of Financial Crime Function Ben Foat Sept
3 I ServiceNow Implementation Al Cameron Sept
4 I Cyber Security (Phishing and Ransomware) Jeff Smyth Oct
5 I IDG Assurance - Phase 4 Dan Zinner Nov
6 I Business Continuity Al Cameron Sept
7 I GLO Compensation Schemes Ben Foat Oct
8 I Effectiveness of Compliance Function Ben Foat Nov
9 Postmaster Remuneration Dan Zinner Oct
10 I PCI Follow-up (Part 2) Jeff Smyth Oct
11 I SPM Mobilisation/Delivery Jeff Smyth Oct
12 I Horizon — Rationale & Value of Interim Improvements Jeff Smyth Sept
13 I EUC—Transition to new supplier Jeff Smyth Sept
(°) Completion of this review was delayed due to Accenture staff availability. The review is now nearing completion and will be reported at the November RCC
‘and ARC meetings.
2
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 65 of 212
UKG100044334
UKG100044334
Tab 3.3 Internal Audit Update
Internal Audit reviews completed
4. The following four audits were completed since the July ARC meeting:
1 I Treasury Operations 2 I BoE - Note Circulation Scheme
3_I IDG Assurance - Phase 3 4_I ATM Link Scheme Readiness
5. Our findings and observations from these reports are summarised below, with the full
reports available in the reading room (appendices 2-5).
6. Treasury Operations (Ref. 2020/22-03)
This audit assessed the design, operating effectiveness and
maturity of key Treasury controls. The services of a Deloitte
Treasury SME were engaged to benchmark activities.
The Treasury function has undergone several senior management
changes in recent months and has faced considerable challenges
brought about by the move to remote working necessitated by
COVID. Throughout this they have maintained their focus on strong
processes and controls to ensure continued, disciplined and well
Needs Improvement
Sponsor: controlled operations.
Al Cameron
We observed that controls are standardised, well established, and
Audit actions: follow daily routines, which rely on key staff being available to
1 perform the daily tasks at the scheduled times, consequently there
P2 3 is limited remaining capacity to support other activities. This limited
PS = capacity has contributed to the findings raised at this audit and is
a key priority for the Group Treasurer in the development of the
Total 4 function.
Specifically we highlight the following:
Appendix 2
Bank mandates were not up to date;
Inconsistent records / minutes of Treasury Committee meeting;
Controls documentation requires review and updating;
For ad-hoc payment requests, the requestor’s authority is not
independently verified.
cece
Management Comment provided by Tom Lee (Group Financial Controller)
“Having recently taken over the Treasury function this review provides me with both a good level of
comfort that the processes and controls are effective in many regards whilst highlighting a few key
focus areas to resolve in the short term. Working with the new Group Treasurer we intend on performing
a full review of the processes and controls to both reduce risk and create efficiencies. We'll welcome
IA’s advice and review on these changes in due course.”
Confidential
66 of 212 Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
Tab 3.3 Internal Audit Update
7. BoE Note Circulation Scheme (Ref. 2021/22-02)
Needs Improvement
Sponsor:
Al Cameron
Audit actions:
1
P2 4
P3 3
Total 8
Appendix 3
The objective of this audit was to review the controls in place to
ensure compliance with the rules in relation to the Bank of
England's Note Circulation Scheme; this included ensuring that all
notes held in BoE Bond were correctly reported and the process of
moving notes to ‘borrow’ from, and pay into BoE were correctly
declared to BoE and subject to appropriate accounting treatment.
We found that effective controls have been implemented in
response to the issues that occurred in late 2020. However, we
identified some control weaknesses that require remediation, most
importantly:
* Processes and controls are not standardised across cash
centres;
« Staff undertaking site/vault access reviews are not always
independent and site access reviews are not evidenced;
* The delivery model for training of staff in relation to NCS rules,
should be reviewed, standardised and formalised;
* There is no standardised process for recording of issues and
incidents;
«There are key person dependencies at each cash centre.
Management Comment provided by Russell Hancock (Supply Chain Director’
“Thanks to Garry and his team for their continued support, guidance and challenge as we continue to
refine and enhance our capability with regards to NCS standards. It is comforting to know that we are
heading in the right direction, we need to ensure consistency across the whole of the cash operations
teams and work to close the gaps identified. All of the findings will be rectified quickly.
We will continue to work with the Internal Audit team to ensure these actions are closed down and look
forward to welcoming the team back into our cash operations to measure further improvement.”
8. IDG Assurance Phase 3 (Ref.2021/22-15)
Needs Improvement
Sponsor:
Dan Zinner
Audit actions:
Internal Audit were tasked to provide an assessment of the
effectiveness of the improvements completed up to 30" June 2021.
Prioritisation of improvements for review was again based on the
impact status.
Phase 3 commenced 12" July 2021 and reviewed the effectiveness
of all improvements (excluding those rated yellow) not previously
assessed that were due for completion by end June 2021. There
were 29 improvements for review in Phase 3: Oxblood Red (2), Red
(11) and Orange (16).
Progress continues to be made on implementing the improvements
identified by the various workstreams and under the oversight of
the IDG. Whilst the majority (23 out of 26) of the improvements in
Phase 3 have been delivered on schedule there remain examples of
improvements that have been marked as complete but, on testing,
have elements that are still in progress. These require focus and
follow up by IDG.
At the end of Phase 3, we conclude that 120 of the 126
improvements assessed to date are effective, with the remainder
being put back in remediation or deferred. We also highlight that
reconciliation of the tracking of actions is required to ensure
consistency in the numbers being reported.
4
P2 =
P3 =
Total 4
Appendix 4
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
67 of 212
UKG100044334
UKG100044334
Tab 3.3 Internal Audit Update
Management Comment provided by Dan Zinner (Group Chief Operating Officer)
“While it is disappointing to see that we are not 100% completed on all improvements in this round, I
can see that most of the 3 remaining actions will be completed shortly and I am pleased with the
progress we are making to improve the way we better serve and support our postmasters. Thank you
for your hard work to ensure we are doing what we say we are doing!”
9. ATM Link Scheme Attestation (Readiness Review) (Ref. 2021/22-21)
This review was prompted by the decision to bring ATMs in-house.
As part of the ATM programme, POL aimed to secure membership
of the LINK Network Scheme and _ Internal Audit was required to
assure the reliability of a Member Assurance Statement submitted
by management.
Internal Audit performed a review of the management response to
each individual LINK statement and the related supporting
evidence. We found no significant errors or omissions in the
Needs Improvement
Sponsor: statement, and worked with management to add clarity where
Owen Woodley required.
Audit actions The Member Assurance Statement has been signed by the Head of
Internal Audit to assert that reasonable reliance can be placed on
P2 2 the information provided by management to LINK. The Statement
P3 ~ has been accepted by LINK, and Post Office will become a full
member of LINK when ATMs become operational.
Total 2
The attestation methodology has been documented by
. management. However, we have identified a number of areas
Appendix 5
where the methodology could be strengthened to ensure it drives
a consistent and robust approach to the ongoing assurance
activities, as ATMs become operational.
The ‘Needs Improvement’ rating of this report is reflective of the
ongoing nature of the work to develop and embed the assurance
activities required by LINK. The rating has no bearing on Post
Office’s readiness to join the ATM Link Scheme.
Management Comment provided by Wendy Luczywo, Head of Automated Banking
“We have implemented a robust control framework to support the LINK Assurance process with the
support of the Post Office Compliance & Audit teams. This has resulted in successful onboarding with
the LINK Scheme in preparation for our membership to commence once our first live ATM transaction
has been undertaken.”
Confidential
68 of 212 Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
Tab 3.3 Internal Audit Update
10. Itis our policy to review the Internal Audit Plan every six months to ensure that it
remains relevant to the key risks and strategic priorities of Post Office.
11. Our review of the 2021/22 Internal Audit Plan, which included discussions with senior
stakeholders, indicates that the plan is for the most part still appropriate for the risk
profile and to support Post Office’s strategic objectives and response to the GLO.
12. However, we propose the following changes to the plan (the full plan is attached as
appendix 1, with proposed changes indicated in red):
« BAU Audit Plan:
#5: GLO Stamp Stock Scheme: Further to discussions with Ben Foat, we have
expanded the scope to include all compensation schemes managed by the HMU.
#12: Cyber Security: Rather than doing another Cyber Security Maturity assessment,
the ARC has requested that we do a deep dive into cyber resilience. After discussions
with the CISO and the ARC, it was agreed that we will postpone the maturity
assessment to 22/23 in favour of a review of Post Office’s resilience to Phishing and
Ransomware attacks.
#23: IT Operations and Incident Management: To be postponed in favour of a change
assurance review of the transition of EUC services from CC to DXC (request from Jeff
Smyth). EUC is critical to IT Operations, therefore it makes sense to focus on the
immediate risks around the transition of services to a new provider.
#24: Horizon Application Controls: To be postponed to 22/23 given the extent of the
current improvements made to Horizon, which are covered through our audits of HIJ
Improvement Programme PhO-2 as well as item #7 below. We will still provide partial
coverage of Horizon controls through our audit of IT Controls Framework (#16).
° Programme Assurance:
#6: PUDO / Click & Collect: Addition to plan. New initiatives critical for achieving
strategic objectives.
#7: Horizon - Rationale & Value of Interim Improvements: Addition to plan. The
objective of this review is to assess the controls in place to ensure that only business
critical improvements are made to Horizon (e.g. for risk avoidance, HIJ conformance).
#8: EUC - Transition to new supplier: Replace #23 mentioned above.
#9: ATM Banking Programme Follow-up review: Programme has experienced delays,
with no contingencies.
#10: Belfast Exit Follow-up (Part 3): Postpone to 22/23 due to the slower pace of
programme delivery. Part 2 of the audit now scheduled for January.
#11: Change Control Framework: Cancelled for 21/22 as the control framework is now
embedded and stable. Another audit at this stage will bring marginal value.
13. Adoption of the revised plan will have minimal impact on delivery and resource. We
remain on track to deliver at least 30 internal audits as agreed with the ARC (22 BAU
audits and 8 Programme Assurance reviews).
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 69 of 212
Tab 3.3 Internal Audit Update
70 of 212
Status of Audit
14. The movement and ageing of audit actions are shown in the table below (status at 07
Actions
September 2021). There are currently 2 overdue actions.
Audit Action Status (POL): Ageing:
Open actions at last ARC 43 Open (not yet due) 33
Less: Actions closed in period 31 Overdue (<60 days) 2
Add: New actions in period 21 Overdue (>60 days) ie}
Total open actions 33 Total open actions 33
15. Following is a summary of the overdue actions and latest status update:
UKG100044334
UKG100044334
Description of audit finding andI GE owner
Priority rating land due date Action Owners and Status Update
Cyber Maturity Assessment 2020
Finding (P2): jeff Smyth Owner: Tony Jowett (CISO)
Significant manual intervention original date: I Status update: Good progress has been
is required to process joiners, 31/03/2021 made with some of the Deloitte
movers and leavers. recommendations that underpin this audit
Action: Btyoa/2001 action. However, full unification and
Document and unify Joiners, automation is not currently feasible. Below
Movers, Leavers process as part is a full explanation of the current position
of the JML project. and residual risk, provided by Tony Jowett:
Background
Internal Audit tracked 8 overarching actions arising from the Deloitte Cyber Maturity
Assessment, which reported in July 2020. Seven actions have been closed but there is an
outstanding action to 'Document and unify Joiners, Movers, Leavers processes as part of
the JML project’. This overarching action comprises 7 specific recommendations raised by
Deloitte, focused on improving process documentation and to provide workflow automation
between key functions, and was intended to support a leap in maturity for access control.
Since the action was agreed, there have been some dramatic changes at Post Office:
1. We have moved into a public and now a statutory inquiry relating to Postmasters and Horizon
- the implication of this is that significant funds and management attention are being focused
in response to these legal requirements.
2. COVID has had a major impact on Post Office business since lockdowns and travel
restrictions began in March 2020 - this again has had a major impact on available money
for investment in all areas, including Cyber. Implementation of a gold standard IDAM
(Identity and Access Management) system is in the region of £2-3m including all project
costs in Post Office with an ongoing maintenance cost of £300k.
The Deloitte recommendations were made against a set of target control maturities that have
not changed since March 2019. Increasing control maturity requires capital and operational
spend - and making improvements at higher maturity levels requires exponential, rather than
linear, investment. The target maturity levels set in 2019 are much more difficult to achieve in
the current circumstances. Furthermore, with the adoption of the ‘Postmasters first’ mantra,
there is anecdotally greater tolerance of risk in areas that are deemed not to be directly affecting
postmasters.
What are the main challenges?
e Joiners - Ensuring that all appropriate checks are completed before people start work.
* Movers - Ensuring that access rights are changed appropriately during a move.
* Leavers - Ensuring that all building, payroll and IT access is removed on leaving.
* Across all - we are reliant on line management to inform the process of any changes.
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
Tab 3.3 Internal Audit UI
pdate
UKG100044334
UKG100044334
What progress has been made?
There are three domains for JML:
Retail (e.g. Horizon) - Whilst the Deloitte audit did not cover Retail, a number of major
improvements are being made to the Retail JML processes (especially around privileged
access management) by the GLO IT team with Fujitsu.
Colleague (e.g., Active Directory) - MIM automation is now live - meaning that changes
in SuccessFactors automatically result in corresponding IT access changes. Cyber
Security are able to block access rapidly in response to incidents. GE members now
routinely receive a monthly report showing who has left their areas so that any
exceptions can be caught.
Back office (e.g. CFS) - there have been improvements to process and documentation of
the flows, as well as coverage. Audit actions from the financial audits have been closed.
The IT Controls framework is being updated to provide better coverage of JML, as described in
the M
been
jay ARC paper, and this will be fully live from 1 October 2021. Progress on JML has also
detailed in previous ARC papers.
What risks remain and what can we do to close them?
We have a good working JML system in each domain. This, alongside the IT controls framework,
will ini
oversi
us to
.
crease our maturity levels. At present, we do not have cross-Post Office governance and
ight that unification and automation across all domains would bring and that would enable
hit target maturity levels. To correct this we would need:
A BA for 6 months to develop a unified process, governance and requirements for
automation.
A Contracts analyst and Vendor Management input to assess the impacts arising from
changes to third party contracts - there would be cost implications from this.
An agreed Target Operating Model across the whole of POL for JML - likely to involve the
creation of a single team from the disparate teams across POL. This team would consist
of 7 analysts who are skilled in IDAM (we have 2 currently).
An automated Identity and Access Management Platform or we agree to be manual and
increase the headcount.
«Change resources to manage, develop and deliver the above.
« Across domain Configuration
database.
« Revamped supporting identity infrastructure - e.g., Active Directory.
Introduction of automation would give productivity increases and reduce the risk of mistakes
associated with manual input, further raising our maturity level.
SPM Business Case Review
Finding (P2): Zdravko Owner: Zdravko Mladenov
Postmaster feedback has been Mladenov
gathered via surveys which will (Original date: I Action owner discussed the delay in
be valuable in the solution design [31/07/2021 completing this action with Nick Read on
of the SPM programme.
However, it is not clear within
the programme plan or the
business case how and when the
information will be incorporated
into the solution design and
build.
Action:
The SPMP team, under the
programme sponsor's leadership,
is standing up a design authority
which will be chaired by the Head
of Postmaster Engagement and
will be a requirement for
approval of any technical solution
or business process modification.
17%» August. Action is in progress, with a
revised completion date of 31% October
being indicated.
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
71 of 212
UKG100044334
UKG100044334
Tab 3.3 Internal Audit Update
16. We highlight that five actions from the Historical 6 Matters Governance review, with an
original deadline of 31 March 2021 are still outstanding, but have not been included in the
overdue count above. The ongoing changes to the structure of the HMU have delayed
finalisation of these actions and the action owner requested extension until there is clarity
on the HMU structure and accountabilities going forward. Extension was provided to 30"
September 2021 and actions are progressing, but the action owner has indicated that it
is unlikely to be completed before 31%t October. The outstanding HMU governance actions
include, drafting of an operating model & RACI, identifying risks & risk appetite, assessing
training needs, reviewing BC & DR, and agreeing data classification standards.
POI Audit Programme
17. The table below shows the status of the 2021/22 POI audit programme, which is
reported to the POI ARC:
Review Status / Rating
1 I Vulnerable customers I Scheduled Q4
2 Finance controls Scheduled Q4
3 Change: GI pricing (pre or post implementation) TBD*
4 Channel review: non-branch sales Scheduled Q3
5 SMCR Embeddedness Needs Improvement
6 Risk Management — Phase 2: Operation Scheduled Q3
* Dependent on stage of programme to be assessed
18. Below is a summary of the SMCR Embeddedness review, which was rated ‘needs
improvement’ to reflect further work needed to fully embed the process:
* This review was performed as part of the internal audit 21/22 plan, and was carried
out to assess the embeddedness of SMCR requirements within POI.
* SMCR has been implemented and is operational in POI. The first annual
recertification has been carried out, and changes to individuals and roles with SMCR
impact throughout the period have been managed effectively. Senior Manager and
Conduct matters are regularly discussed in governance forums, and individuals in
Senior Manager roles report regularly to the ARC on their specific areas of
responsibility.
* The changes to POI's organisational structure have provided an early opportunity
for the process to cycle. This has been broadly successful, although management
experienced some challenges, particularly where there is a dependency on POL for
parts of the process. This also presents an opportunity for management to leverage
experiences to date to further embed SMCR within the business,
* Some weaknesses were found in the clarity, detail and coverage of processes and
accompanying documentation. Key SMCR policy and procedural documents should
be updated, and there is a need to review and expand these in line with industry
practice. This will strengthen credibility of the scheme.
Confidential
72 of 212 Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
Tab 3.3 Internal Audit Update
®
UKG100044334
UKG100044334
Appendices?
Appendix 1: Internal Audit Plan for 2021/22
Note: Items in red denote proposed changes to the approved plan.
Appendices 2-5 are accessible in the CoSec ‘Reading Room’
Confidential
# _ I Title/Subject [Sponsor [timing I Status / Rating
Top 5 Priorities
1 I 10G Assurance - Phase 2 Dan Zinner May I Not Rated
2 I GLO Historical Shortfall Scheme — Claims & Payments. Declan Salter June I Needs Improvement
3 _I Note Circulation Scheme (BoE Controls) Al Cameron June I Needs Improvement
4 _ I 1DG Support & Assurance - Phase 3 Dan Zinner July I Needs Improvement
fon Sch
5 I iprewousy G10 Stamp Stock Scheme) Ben Foot oct _I Scope change
Rolling forward plan
6 Payzone Control Environment Owen Woodley June I Needs Improvement
7 __I Treasury Operations Al Cameron June I Needs Improvement
8 _I Effectiveness of Financial Crime Function Ben Foat Aug _I Fieldwork
9 _ I CFS Application Controls Al Cameron July I Reporting
10 _I Effectiveness of Compliance Function Ben Foat Nov _ I Notstarted
11_I JML Deep Dive Jeff Smyth Feb _I Notstarted
13a_I ATM Link Scheme Assurance (Readiness) Owen Woodley June I Not Rated (Memo)
13b_I ATM Link Scheme Assurance (Attestation) Owen Woodley Mar _I Notstarted
14 Third Party Data Validation Al Cameron Feb Not started
15 _I Business Continuity (Incl. Post-crisis assessment and ITDR) I Al Cameron Sept I Fieldwork
16 _I IT Control Framework Jeff Smyth Jan I Not started
17 _I Financial Reporting Controls Al Cameron Feb _I Notstarted
18 _I ServiceNow Implementation Al Cameron Sept I Fieldwork
19 _I Postmaster On-boarding ‘Amanda Jones Jan _I Not started
20 I Postmaster Remuneration Dan Zinner ‘Aug I Fieldwork
21 _I HU Improvement Programme Follow-up Jeff Smyth June I Not Rated
22 I IDG Assurance Phase 4 (incl. TI target validation) Dan Zinner Nov I Planning
23 I IT Operations and incident Management Jeff Smyth 22/23 I Replaced by #8 below
24 I Horizon Application Controls Jeff Smyth 22/23 I Delay to after HU ph2
Change Assurance Reviews
1 erateaic Platform Modernisation (SPM) Setup / Business Zdravko Mladenov I May Not Rated
2__ I ATM Banking Strategy Programme Owen Woodley June I Needs Improvement
3 _I Belfast Exit Follow-up (Part 2) Jeff Smyth Jan _I Not started
4 _I PCI Follow-up (Part 2) Jeff Smyth Oct _I Planning
5 SPM Mobilisation/Delivery Zdravko Mladenov I Oct Not started
6 I PUDO/ Click & Collect Dan Zinner the _I Addition to plan
7 _I Horizon — Rationale & Value of Interim Improvements Jeff Smyth Sept I Addition to plan
8 I EUC-Transition to new supplier Jeff Smyth Sept I Replaced #23 above
9 _I ATM Banking Strategy Programme Follow-up Owen Woodley Nov _ I Addition to plan
10 I Belfast Exit Follow-up (Part 3) Jeff Smyth 22/23 I Postpone
11 I Change Controls effectiveness Dan Zinner Cancelled
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
10
73 of 212
UKG100044334
UKGI00044334
Tab 3.3 Internal Audit Update
®
Appendix 2: Internal Audit Report - Treasury Operations
Appendix 3: — Internal Audit Report - BoE Note Circulation Scheme
Appendix 4: Internal Audit Report - IDG Assurance Phase 3
Appendix 5: Internal Audit Report - ATM Link Scheme Attestation (Readiness Review)
1 Appendices 2-5 are accessible in the CoSec ‘Reading Room’
11
Confidential
74 of 212 Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKGI00044334
Tab 4.1 Postmaster Management Information Update
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
. Postmaster Management . .
Title: Information (MI) Update Meeting Date: I 28 September 2021
Zdravko Mladenov, Business
Author: Nick Beal, Network Performance Sponsor: Transformation Unit (BTU)
Optimisation Director Director
Input Sought: Noting
The Committee is asked to note the update on BTU’s proposed approach being undertaken to
improve the provision of MI to postmasters.
Previous Governance Oversight
e BTU reported to ARC in May 2021 on its proposed approach to improving the provision
of MI to Postmasters. It was agreed a further progress update would be provided in
September 2021. The paper has been noted at the RCC meeting on 14** September
2021.
Executive Summary
In May we reported that our initial and immediate priority had been to develop a Proof of
Concept (PoC) in Branch Hub that reflected some of the Branch Insight Tool functionality
currently used by Area Managers to provide branch MI to postmasters. This was the newly
labelled Branch Performance tool and was successfully launched to an initial 30 branches,
rapidly followed by a further ~170 and now extended to ~800.
PoC data provided has expanded from its initial Mails sales data and now also includes volume
data for Mails, Banking and Payment Services; customer session data for all products; sales by
staff data; Mails remuneration data; operational performance data; and operational messaging
related to branch activities such as conformance.
In July Post Office Board approved funding for further Branch Hub activity through to December
2021 and this will include additional MI and Postmaster support features, migration of the
current data platform into full IT support, delivery of Postmaster adoption activity and
assessment & potential piloting of Branch Hub access via Horizon.
Beyond this, we are currently scoping longer-term branch MI requirements and Branch Hub
integration into Strategic Platform Modernisation (SPM), aligned with wider business
transformation.
This paper sets out the current features plus those expected to be delivered by December and
the high-level road map beyond.
Internal
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 75 of 212
UKG100044334
UKG100044334
Tab 4.1 Postmaster Management Information Update
Questions addressed
1. What initial improvements have been made to the provision of MI to postmasters since the
Deloitte and Internal Audit report?
2. What additional short-term improvements will be made to the provision of MI to
postmasters?
3. What is our roadmap beyond these improvements?
Report
4. Ultimately our plan continues to be for postmasters to be able to access information in
one place via the Branch Performance tool on Branch Hub.
5. Branch Performance will provide postmasters with data and information to support and
improve the running of their branch and enable them to take a data-driven approach to
improving overall performance.
6. This will include information related to sales, remuneration, staffing and operational
performance as well as wider Branch Hub access to training, support, on-line help and
communications.
7. We will add information iteratively to Branch Performance, with prioritisation based on:
e Postmaster preferences (as articulated in workshops, surveys and the recent
consultation)
« Deloitte recommendations (chiefly BC4 on provision of remuneration data)
e Findings of the Internal Audit Report
What initial improvements have been made to the provision of MI to postmasters
since the Deloitte and Internal Audit report?
8. The current release of Branch Performance contains information on:
« weekly Sales Performance (volumes and values for Mails, volumes by
day/hour for transactions & customer sessions, sales by staff)
¢ monthly Operational Reporting (key metrics related to cash declarations,
customer complaints, Mails conformance, transaction activity)
« monthly Mails Remuneration (MDA2 vs MDA1 comparisons)
9. In addition, we have also implemented Branch Messaging functionality that contains
notifications (with potential actions required highlighted) related to key operational
metrics.
10. The pilot is currently available to around 800 with the intention of expanding to around
5,000 by December and to the entire network in the new year. Feedback to date has been
very positive.
11. Example screenshots are shown below with more included in Appendix 1 and a link to the
demo provided to the Board in July.
Internal
76 of 212 Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
Tab 4.1 Postmaster Management Information Update
What additional short-term improvements will be made to the I provision of MI to
postmasters?
12. The activity through to December aims to deliver the following information/features:
e Access control - currently Branch Performance is only available to Postmasters
(i.e. contract holders). Role Based Access Control (RBAC) will enable
postmasters to make the various features on Branch Hub available to their staff
as they wish. This will be a simple On/Off (defaulted to Off) button for each
feature, thus providing both operational flexibility and information protection for
Postmasters.
* Daily/Weekly/Monthly remuneration information - we will be extracting
directly from CFS Remuneration to make available this data which will
significantly improve timeliness for Postmasters. (Please note we are not, at this
stage, replacing the existing monthly remuneration statement postmasters get
as this contains data that is only calculated monthly sourced from 3" parties as
well as other contractual information. Replacement of this report will be a future
deliverable.)
e SQL migration from existing standalone server to fully IT supported
infrastructure — this activity will improve the efficiency of data management
in Branch Performance and de-risk current support issues that restrict expansion
to all branches, thus directly addressing the risk identified in the May report.
e Conversion rates by operator (penetration) - this will provide information
to Postmasters related to the ratio of priority to standard mails transaction by
staff member, enabling performance management and potential incentivisation.
e Report exporting to Excel - functionality to enable Postmasters to download
reports
e Sales Support - increasing the range of products with volume and value data
- next will be Banking and Payment Services
What is our roadmap beyond these initial improvements?
13. In parallel to the delivery of above features, other activity is underway that will deliver
post December that will enhance the Branch Hub experience and thus increase adoption
of its features, specifically:
¢ Branch Hub on Horizon - recent discussions with Fujitsu (and other relevant
suppliers) indicate there is a good probability of being able to provide
functionality to access BH from Horizon. The detailed requirements and plan for
this is being constructed now and the intention will be to pilot as soon as possible
- current ambition is for the pilot to commence before the change freeze in Nov
21 - pilot duration to be confirmed - but it should be noted that delivery of a
pilot prior to the change freeze is far from certain and subject to key supplier
activity which has yet to be confirmed. The delivery of this functionality is
potentially a game changer to adoption, providing access to both Postmasters
who are resistant on the basis of believing Post Office should provide devices
and Strategic Partners who prohibit their staff from having their own devices on
the shop floor and will not invest in separate devices for this purpose.
Internal
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 77 of 212
UKG100044334
UKG100044334
Tab 4.1 Postmaster Management Information Update
. Branch Performance for Strate Partners -— adding head office reps onto
Branch Hub. This will provide the ability to view their estate as a whole and
identify their best and worst performers.
e Wider adoption activity - in addition to the above 2 initiatives, we have
recently recruited an Area Manager into the team to work on increasing
Postmaster adoption of Branch Hub and Branch Performance within it. Whilst
the vast majority of branches are registered and usage has grown, as we expand
the pilot and grow features, we want to ensure that Postmasters understand the
value this can add. Our comms and engagement strategy for this will major on
working with the Area Managers directly.
14, Aside from above, our roadmap beyond December has not yet been developed but we
anticipate scoping further features that add genuine value to postmasters whilst also
ensuring we align to and take full advantage of the wider SPM developments.
15. With this context we are working closely with PDP (POL Data Platform) programme as it
develops its proof of concepts, specifically investigating the technical feasibility of
surfacing PowerBI within SNOW and related technical integration and access controls that
would be required to enable access for Postmasters via Branch Hub to detailed
transactional information in near real time.
16. In addition, we are working with the Horizon Improvement Programme investigating the
potential provision of a capability for Postmasters to raise and resolve transactional
discrepancies directly from Horizon, surfaced via Branch Hub. Delivery of this aligns
directly with the provision of Branch Hub on Horizon,
Risks
17. SQL migration delivery - SQL Azure cloud environment has been secured and we have
commenced trial migration activity. We are planning to scope phase 1 productionise
requirements during Sept to enable work to commence from Oct but there is a risk to
timescale certainties that we are currently scoping that may delay full network expansion.
18. Branch Hub on Horizon - whilst initial discussions have been productive, inevitably the
number of suppliers involved and wider Horizon priorities may impact our ability to deliver
quickly - the current optimistic timeframe (after piloting) being end March 2022.
Next Steps & Timelines
19. It is recommended that a further progress update is provided to Audit, Risk & Compliance
Committee in March 2022 following delivery of further functionality and clarity around
further funding of Branch Hub/alignment to SPM.
Internal
78 of 212 Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
Tab 4.1 Postmaster Management Information Update
Demo link & additional example screenshots
Branch Hub video demo
Web address: https://vimeo.com/578169120/603bScaac3
Password: I8N1N"O£V%A
Appendix 1
Example screen shots
Om wee “Guinn ensuite nin at, Goria
Franch performance Branich meisaging
Sale sd ln permis wn ii Stk pronase
cowaoe ae,
ee Ls
Branch performance
Internal
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 79 of 212
UKG100044334
UKG100044334
Tab 4.1 Postmaster Management Information Update
Sales Performance
a
Customer Sessions
Transaction Volumes
Ca
Mails
‘Transaction Volumes fo:
Internal
80 of 212 Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
Tab 4.1 Postmaster Management Information Update
f eS a ae a °
mente
Mails Product Sales by Smart ID for
ee. =
e 8 » ae
‘i WG ds ~ he ae
Ef
Kinteneee emma: Seem F weteaeuon
Internal
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 81 of 212
UKG100044334
UKG100044334
Tab 4.1 Postmaster Management Information Update
Rese Sappare fees Mad Senregatan Wetton avORFRRI we
‘On ZAFEHF2001 Royal Nal cnacted of of yous md
agen vee fit paccorieet
Internal
82 of 212 Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
Tab 4.1 Postmaster Management Information Update
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
POST OFFICE LIMITED
UKG100044334
UKG100044334
Title:
Postmaster Management
Information (MI) Update -
Branch Hub video demo
Meeting Date:
28 September 2021
Author:
Zdravko Mladenov, Business
Transformation Unit (BTU)
Director
Sponsor:
Nick Read, Group CEO
Branch Hub video demo
Web address: https://vimeo.com/578169120/603bS5caac3
Password: I8N1N"O£V%A
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
83 of 212
UKG100044334
UKG100044334
Tab 4.2 Data Governance Framework Update
POST OFFICE LIMITED
AUDIT, RISK AND COMPLIANCE COMMITTEE REPORT
Title: Data Governance Framework Meeting Date: I 28'* September 2021
Author: Matthew Taylor, Head of Data Sponsor: Jeff Smyth, Group CIO
overnance
Input Sought: Noting
The Committee is asked to note the status and plans regarding the introduction of a Data
Management framework across POL and how POL is addressing compliance with the Public
Records Act 1958.
Previous Governance Oversight
Noted at the RCC meeting on 15"* September 2021.
Executive Summary
Data Management covers a multitude of processes. POL has made several attempts to start
formal management of data with varying degrees of success. With the publication of the
Horizon Issues Judgment (HIJ) and the remediation activity following on from it the need for
a clear and coherent policy around Data Management and the subsequent deployment of
appropriate Data Management capabilities has increased.
Whilst we ultimately need to embrace all aspects of Data Management at POL, we must be
aware that POL is going through several major changes during the next 1-3 years covering
core platforms and capabilities. We therefore need to phase the introduction of more formal
data management by choosing a few key elements of Data Management that will be
foundations of success.
To do this, the proposal is to tackle those items that will have the most value to POL at the
moment (such as establishing data ownership, ensuring our compliance with various
legislation including the Freedom of Information Act 2000 and Postal Services Act 2000, and
data/document retention policies) and those that will also deliver the most tangible benefits
for our Postmasters such as ensuring the quality of reference data is measured and where
issues found, they are rectified. These areas are Data Governance, Data Quality and Data
Ownership.
The aim is to embed these core data management areas in all our activities.
It should be noted though that whilst POL is subject to further legal process (such as the up-
coming public inquiry), POL will be unable to fulfil some of its policies and standards
commitments (e.g., legal hold with regards to document retention policies).
This paper deals with digital records only and does not deal with physical ‘data’ records held
by POL.
In addition, this paper provides updates on the recommendations made in the RCC Report 4th
May around POLs agreement with the Postal Museum.
Confidential
84 of 212 Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
Tab 4.2 Data Governance Framework Update
Questions addressed
1. What is Data Management?
2. Where is POL with Data Management, what is our current maturity level and what are the
risks currently?
3. How do we improve trust in our data?
4. What is the proposal?
5. What are the risks to POL of not delivering on the plan?
6. Next steps and timelines including agreed actions from recommendations made from 4*"
May’s RCC report on Data Governance and the agreement with The Postal Museum.
Report
What is Data Management?
1. Data Management refers to the practice of constructing and maintaining a control
framework for ingesting, storing, mining, measuring, controlling and archiving data.
Data Management is the spine and corresponding nerves that controls all segments of
the data lifecycle.
2. Whilst Data Management covers a multitude of areas, for the purposes of this initial
undertaking, we are looking at three key pillars of Data Management, namely Data
Governance, Data Quality and Data Ownership.
i. Data Governance is the creation of frameworks and the on-going maintenance of
policies and subsequent standards and methodologies on how data should be
managed (including templates, processes, methods and “how-to” guides).
ii. Data Quality is the implementation of a quality measurement programme,
enabling the effective measurement and reporting of data quality across a business
and its suppliers (measurements include completeness, conformity, coverage,
accuracy, consistency, duplication and timeliness).
iii. Data Ownership is the creation of a data ownership model. Ownership refers to
both the possession of and responsibility for data within a defined area of a
business. Data Owners and Stewards are critical to the success of a business - they
ensure that data is protected, that the right controls are in place for access to data,
that the data quality is understood, measured and managed, and understanding in
detail what the master data sets of POL actually are.
Where is POL with Data Management, what is our current maturity level
and what are the risks currently?
3.
We have little Data Management in place (covering items such as Data Governance
standards and policies, Data Quality, accuracy and completeness reporting or Data
Ownership via a single point of accountability). We are unable to confidently say that we
have any form of ‘over-arching’ Data Management at POL.
i. From a Data Management perspective, we should be able to answer yes to the
following questions with a high-level of confidence:
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 85 of 212
UKG100044334
UKG100044334
Tab 4.2 Data Governance Framework Update
86 of 212
i. “We have in place a clear set of policies, standards and procedures that govern how
data is sourced, managed, reported, archived and disposed of at POL”
ii. “We have in place a clear set of accountabilities across the business for Data
Ownership and these owners clearly understand their responsibilities”
iii. “We have a comprehensive set of metrics in place across POL that measures the
timeliness, completeness and accuracy of our data and also our compliance with both
internal policies (such as document retention) and external legislation (such as
GDPR/PCI DSS)”
4, Maturity/Risks/Examples:
i. Data Governance
i. Maturity - From a retail perspective, POL is immature from a Data Governance
standpoint with other retailers having mature policies and standards in place
around data and its use (based on experience at another retailer).
ii. Risk - Policies and standards form the bedrock to any businesses effective
management of its data assets. Without these, the business operates on uneven
foundations.
iii. Examples of risk - Who makes decisions on future data strategy (in the absence
of a Data Council)? How do we agree on who should own what data (in the
absence of Data Owners)? How should we deploy new data projects to ensure
they comply with all relevant legal and regulatory policies (e.g., GDPR)?
ii. Data Quality
i. Maturity - From a retail perspective, POL is immature with regards to its Data
Quality reporting capabilities and is unable to accurately report on the level of
Data Quality across the business.
ii. Risk - Data is used everywhere and every day 1000s of decisions are made
using data that is assumed to be of a high-quality. There is no systematic way
of ‘trusting data’.
iii. Examples of risk - Poor quality Finance data used to calculate revenue,
incomplete/inaccurate HR data used in business continuity planning, inaccurate
marketing consent or reporting to central government.
iii. Data Ownership
i. Maturity - From a retail perspective, POL is immature from a Data
Owner/Stewards standpoint with other retailers having clear Data Ownership in
place (based on experience at another retailer).
ii. Risk - No single point of ownership for data across the various business units.
Often assumed that IT own data. In fact, IT host data for the business to use
and as such it must be owned and managed by the business. Risks to success
of Horizon Improvement Programme (HIP) migration to new technologies.
Owners/Stewards critical to the creation and management of a data lake.
iii. Examples of risk - Lack of clear and concise disclosure following requests by
regulators/auditors. Inaccurate reporting of Risk of Processing Activities
(ROPAs), removal of personal data post request for ‘right to be forgotten’,
unable to observe document retention schedules.
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
Tab 4.2 Data Governance Framework Update
How do we improve trust in data?
5.
By undertaking a wide-scale review of the current, interim and proposed data landscape
with a view to creating a vision on how we move from the current position of “very little
confidence in our data” to one of “confident”.
Once we have this vision, we can look to plan the deployment of three key principles.
Data Governance, Data Quality and Data Ownership. Bringing these three items to the
table will increase the level of trust significantly.
What is the proposal?
7.
10.
11.
POL is going through a massive course of change over the next few years. As such we
need to be pragmatic that whilst we would like to have a comprehensive Data
Management suite sitting across the whole of POL as soon as possible, we need to be
realistic and be mindful of our change bandwidth.
Given that POL has large numbers of data assets across its real estate, a review will be
undertaken to prioritise the initial roll-out of this proposal to its ‘Crown-Jewels’
systems/assets (dealing with both structured/un-structured). As the roll-out progresses,
those data assets beyond the ‘Crown-Jewels’ will be covered.
We need to balance Data Management needs with those of the business. Therefore, our
over-arching approach to Data Management should be light touch so that we are able to
answer ‘Yes’ to the following statements:
i. “We know how we manage our data”
ii. “We know who owns our data”
iii. “We trust the quality of our data”
iv. “We are confident we comply with internal policies and external legislation”
The proposal is to create a core team within POL that will manage the overall
implementation and on-going maintenance of a Data Management framework, covering
Data Governance, Data Quality and Data Ownership. In more detail our proposal is:
i. The creation of Data Owners within the overall business, who will have the
accountability for ensuring data is protected, controlled, measured and reported.
An integral part of this is also the appointment of Data Stewards. These will
oversee the implantation of the Data Governance framework across the business
and the introduction of metrics around the quality of data/introduction of KPIs.
ii. The roll-out of a companywide education programme around how data should be
managed, looked after and reported.
iii. The procurement of industry standard software to enable (where possible)
automated measurements and controls to ensure the business not only complies
with the relevant policies (such as document retention) but also that the business
can produce accurate and meaningful quality reporting.
Whilst the deployment of Data Governance, Data Quality and Data Ownership initiatives
across POL form the foundational layer, other aspects of Data Management are
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 87 of 212
UKG100044334
UKG100044334
Tab 4.2 Data Governance Framework Update
important to the overall operation of the POL and as such will be subsequently brought
on-line over the coming months and years. These include:
i. Data Lineage
ii. Data Glossaries
iii. Data Dictionaries
iv. Document Retention Tooling
What are the risks to POL of not delivering on the plan?
12. In addition to the other concerns raised in this paper, the Group General Counsel (GCC
Next steps and Timelines and agreed actions from recommendations
made from 4't May RCC report on Data Governance and the agreement
with the Postal Museum.
13. The Data Governance lead is currently formulating a plan for approval on how we will
deploy a Data Management framework to the business (as detailed above). If approved,
this will see the creation of a central Data Management team, with three verticals
covering the core principals detailed in this document.
14. Asa first step, a prove-plan proposal has been submitted and agreed by the Project
Review Board (PRB) & Investment Committee (IC), to draw down on board approved
funds (as part of the wider POL Data Programme) to deploy a data ownership framework
across POL and the appointment of Data Owners to high-level business segments. This
prove plan is due to deliver at the end of December (see Appendix A).
15. Acore element of this planning is to understand the to
assist with Data Management functions (such as the
tooling).
ing currently available to POL to
5 E5 document and retention
16. Please see Appendix A for a high-level plan of the overall Data Management plan
(including the prove-plan phase in green).
17. Following on from the recommendations made and subsequent approval on how we can
get a minimum level of compliance with the Public Records Act 1958, the committee is
asked to note these updates to the 4'" May’s Data Governance RCC paper.
Confidential
88 of 212 Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
Tab 4.2 Data Governance Framework Update
5.3.1 advice is obtained 0 iii
i. Update: POLs lawyers (HSF) have confirmed
5.3.2 we work closely with The Postal Museum to understand how we may work
with them better going forward, in particular in relation to transfer of digital
records and fully utilise the resource and expertise they have available to assist
us in ensuring that we are complying with the PRA.
i. Update: The new Head of Data Governance at POL has had several
meetings with The Postal Museum to better understand what our
responsibilities are and how we can better comply with the Public Records
Act 1958. As part of this, a new process has been designed and submitted
for approval. This will see the use of SharePoint, ServiceNow and Quatrix
used to facilitate and keep track of documents transferred to The Postal
Museum.
iii. 5.3.3 the relationship with the TPM is managed centrally by a core team to
ensure that there is no duplication of information sent across or tasks being
performed and that any concerns raised by TPM can be easily addresses and, if
needed, escalated.
i. Update: This will be addressed by the roll out of the Data Ownership
framework as detailed above.
iv. 5.3.4 training is provided throughout the business on POLs PRA obligations, the
Document Retention and Disposal Policy and the retention schedules and each
area of the business put forward one person to be the point of contact of the
policy for that area of the business
i. Update: This will be addressed by the roll-out of the wider Data
Management framework detailed above.
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 89 of 212
UKG100044334
UKG100044334
2124006
Appendix A - Overall Data Management Plan (Prove-Plan in Green)
@ -taestone
foce28 Mov20 Dee21 lanza Fon22 war2? ApC22 Moy22 tun 22 lut22 Aug.22 Sop-22 0422 Now2? Bec?2 Jan PS Fek-2s Mal2s
Write Data Govemance Framework and arta =
Communicate /imalement framework
Fstablieh Oxta Councis
e1epdr yHomewes4 eouewendd e120 Z'¥ GEL
Establish Data Governance reporting °
‘Stand up Data Governance Zone / Training coments
Establish Gara Quatiey Requirements = 222 sairnaatratataoaRame a
Stand up Data Quaiity Programme (incl Proot of Concept} RUAATTTAN
‘and up Data Qustity Zone Tearing
rove Phase: Draft Dats ownershis model and RACK Assign cunets ENN
dup Data Ownershis Zane /T
Recruitment tor Data Management roles
Create RFF for Tooling
12/60/82-SaHWUOD eoUEI!GWOD * SRY “UPNY - PAW SOW IS0d
Confidential
UKG100044334
UKG100044334
Tab 5 Postmaster remuneration - 3rd party assurance
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
Postmaster Remuneration -
Title: Third Party Data Assurance Meeting Date: I 28 September 2021
Tom Lee, Group Financial
Controller;
Johann Appel, Head of Internal wean A
Author: Audit; Sponsor: Alisdair Cameron, Group Chief
Christine Kirby, Head of Finance Officer
Financial Accounting and
Controls
Input Sought: Noting and Discussion
The ARC is asked to note and discuss:
e The risk identified in relation to Postmaster Remuneration (“PM REM”) where reliance is
placed on third parties;
* Instances identified where the risk has resulted in a detriment to Postmasters and
associated remediation activities; and
« Assurance activities planned to reduce the risk.
Previous Governance Oversight
e September Risk and Compliance Committee
Executive Summary
Post Office Group (“POL”) has an inherent risk within its financial numbers and associated
processes arising from the reliance on third party data. Significant assurance activity has
been performed in relation to this risk where it pertains to revenue activity, with Internal
Audit and Central Finance conducting annual review procedures on material revenue streams
driven by third party data. Due to a specific issue which has recently come to light pertaining
to third party reliance for PM REM, work which was due to be undertaken by Internal Audit
and Central Finance has been brought forward in order to help mitigate the risk in this area.
The specific issue which has come to light in relation to PM REM is misallocation and
underpayment of PM REM for Bank of Ireland (“BOI”) savings account referrals as a result of
BOI having erroneous processes in place. This has been resolved and processes and controls
are being put in place to prevent future issues in these areas. Work is being undertaken by
the Historical Matters Unit regarding the BOI issue in order to ensure any Postmasters that
suffered a detriment are identified and remunerated accordingly. It should be noted that we
believe that the overall financial position recognised within the ARA is materially correct and
that the issues identified are principally in relation to individual postmaster settlements.
In order to provide assurance and mitigate the risk arising from reliance on third party data
for PM REM, the following will be undertaken:
- Internal audit review of PM REM - to assess the effectiveness of controls operated by
POL to ensure the completeness and accuracy of third party data. Where appropriate,
data analysis will be used to support the review.
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 91 of 212
UKGI00044334
UKGI00044334
Tab 5 Postmaster remuneration - 3rd party assurance
92 of 212
Annual assurance activity over third parties and associated data, based on risk
profiling, aligned with the existing annual third party revenue data audit where
possible.
Re-visit the controls tested in the initial review to ensure POL’s existing controls over
PM REM generated by third party data are sufficient. Implement additional controls and
changes to process where possible within POL to assist with prevention and detection
of issues in this area.
POL also needs to ensure that contracts entered into with third parties contain clauses that
provi
ide service provider assurance (e.g. ISAE 3402 reporting) and allow an annual right to
audit.
ARC
is requested to review the suggested approach to assurance and mitigation and provide
any comments or challenge.
Questions addressed
1. What is the risk identified?
2. Has the risk resulted in a detriment to Postmasters?
3. How are Post Office planning to mitigate the risk going forward?
Report
Overview of the risk
1.
Due to either the nature of the products or the product data journeys, Post Office Group
(“POL”) is, for certain products, inherently reliant on third party data in order to recognise
and perform certain transactions.
The risks associated with this have previously been identified, with the accuracy and
completeness of data which POL relies upon being dependent on the relevant third party
having adequate processes and controls in place.
The most material area of the business where this risk arises, in transactional value terms,
is revenue (forecasted third party revenue for FY21/22 is i The risk associated
with revenue has been addressed through the work performed jointly by Internal Audit
and Central Finance over the past 3 years, performing audits over relevant third parties
where the annual revenue value is deemed material or the process is deemed to be high
risk,
However, it has always been known that another area exists, albeit the financial risk is
somewhat less material, being that of PM REM.
Where products are processed in Horizon and the data is therefore maintained by POL, PM
REM is calculated using this data. However, there are two known instances where PM REM
is calculated using third party data:
a. Non Horizon sales - Product sales where the customer does not complete the
transaction in branch and no data flows through Horizon but the PM REM should be
remunerated for the sale i.e. online sales and paper sales where the PM REM has
directed the customer to it e.g. insurance and savings products where the customer
is required to complete and online or paper form and reference the branch.
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
Tab 5 Postmaster remuneration - 3rd party assurance
b. Foreign Currency sales - Horizon nets Soff the purchase and sale of forex but
Postmasters are remunerated on a gross basis. POL therefore receives data directly
from First Rate Exchange Services Limited (“FRES”) which gross’ out the sales data
ble PM REM to be calculated. The PM REM for these transactions equated to
to the COVID-19 impact.
Known issue
6. Recently, an issue has been identified in relation to PM REM where we are reliant on third
party data. This is briefly explained below along with the mitigating actions taken.
Bank of Ireland Savings Accounts
7. Postmasters should receive remuneration when a customer opens a Bank of Ireland
(“BOI”) savings account following an in-branch referral. The product can be sold via
Horizon, resulting in direct remuneration, but in some cases the customer prefers to
complete the form at home (downloadable app form/branch app pack taken home) and
post direct to BOI.
8. When a direct application is made to BOI the branch would receive remuneration if the
customer includes the Branch FAD code on the application, which enables BOI, and
ultimately POL, to identify the branch and remunerate the Postmaster accordingly.
9. If an application is received with no FAD code on, BOI should apply a ‘999’ code which
informs POL that no code was included and therefore an assumption should be made that
the branch closest to the applicants home address made the referral and remunerated
accordingly. These 999 applicants are therefore placed in POL’s gravity model which
identifies the branch to be remunerated.
10. In March 2021 a Postmaster identified they hadn’t been remunerated for two savings
accounts where they knew the customer had included the FAD code on the direct
application.
11. Following an investigation by POL and BOI it was identified that there are two issues in
the process:
a. For all direct applications which contain a FAD code, BOI have been overwriting the
FAD code with a ‘999’ reference. This potentially results in a misallocation of PM REM
between branches.
b. As part of the data conversion and transfer process at BOI, some ‘999’ allocations
were also being changed to ‘000’ allocations. A ‘000’ is not put through the POL
Gravity model as its assumed no referral has occurred and therefore no branch
would be remunerated.
12. The impact of this is that PM REM has either been misallocated or underpaid since product
inception for all ‘direct’ applications.
13. An interim fix was applied on 12" May, once the issues had been identified, to ensure
‘999’ was only added where the FAD code field was blank and to ensure ‘999’ references
are not transferred to ‘000’. Sample testing is being performed to ensure the process is
being followed correctly and PM REM is correct. A formal process is being drafted and
additional controls are being considered.
14. The historical PM REM errors are being reviewed by the Historical Matters Unit (“HMU”),
who are working with BOI, via the POL product team, to identify all potential instances of
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 93 of 212
UKG100044334
UKG100044334
Tab 5 Postmaster remuneration - 3rd party assurance
94 of 212
detriment, back to o when the product launched ir in in april 2006 in 1 order to ‘quantify and correct
the issues.
15. The quantum is unknown at this stage, however it has been identified that there have
been 57,000 direct applications for this product over the lifetime. BOI are working through
all these direct applications to identify the right FAD codes, after which the HMU can seek
to correct the errors.
16. This paper does not seek to explore and address the historical remediation in detail, which
will be covered by the HMU in their other updates, but it does acknowledge there is a
potential historical financial detriment which will be tracked and monitored with relevant
financial provisions made.
Risk mitigation
17. Putting the specific issue noted above aside, the wider risk around third party reliance in
PM REM was in the pipeline to be addressed by Internal Audit (“IA”) and Central Finance
(“CF”) in the coming year. However, given the risks have now been noted to have resulted
in issues the work has been brought forward.
18. The plan to mitigate the risk is as follows:
a. IA, supported by CF, will conduct a review of PM REM to identify all instances of
reliance on third party data
b. IA, supported by CF, will risk rate the areas identified, in order to prioritise review
c. IA will incorporate a review of POL’s controls around third party data into the planned
TA review over PM Rem scheduled for October 2021.
d. IA, supported by CF, will conduct audits over the third party data, processes and
controls, for third parties deemed to be in scope, during Q4 FY21/22.
e. Off the back of the above reviews, CF will look to implement additional controls
within POL e.g. data analytics, to enable closer monitoring and issue identification.
f. Longer term - IA & CF will conduct annual reviews over the third parties which POL
relies on for data for PM REM, based on materiality and risk profiling.
19. Work with Legal to consider the third party data reliance risk relating to PM REM when
negotiating new contracts. Contracts should include:
a. Provision of service provider assurance (such as ISAE 3402 reporting) from the third
party and,
b. The right for POL to audit the third party annually
20. Assess if the Strategic Modernisation Project can help to reduce reliance on third party
data for PM REM.
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
Tab 6 Corporate Insurance Renewal
POST OFFICE LIMITED
AUDIT, RISK AND COMPLIANCE COMMITTEE REPORT
Title: Corporate Insurance Renewal 2021 Westing 28" September 2021
Peter Mitchell, Group Treasurer; Nedai A
Author: Tom Lee, Group Financial Sponsor: Alisdair Cameron, Group Chief
Financial Officer
Controller
Input Sought: Noting and Approval
The ARC is asked to note the update on the 2021 Insurance Renewal process and delegate
authority to the CEO and CFO to finalise terms of the renewal.
Previous Governance Oversight
« Previous update provided to the Audit, Risk & Compliance Committee (“ARC”) as a
noting paper - 26" July 2021
Executive Summary
As a follow up to the paper shared with the ARC in July 2021 (Appendix 1), which outlined the
policy renewal process and strategy, this paper sets out the latest insurance renewal forecasts
for 2021 and seeks formal approval to delegate authority to finalise the terms of the renewal
to the group CEO and CFO.
Unfortunately, the market continues to be very tough and the latest premium forecasts are
higher than those reported to ARC in July 2021. The premium increases are a reflection of the
market in general and are not specific to Post Office (“POL”). The main pressures on pricing
are in the Directors and Officers, Crime and Cyber premiums.
Some insurers will not provide terms outside of 30 days from renewal. POL’s insurance renewals
Given the timing of the ARC meeting and the timetable for renewal,
we are not able to provide final terms at this time. As such, the figures presented in this paper
represent the latest market expectations.
Current forecasts indicate premiums of c.
in the 2
dependent on premium quotes received. Whilst this would attract new additional
premium cost it would allow POL to utilise its own risk appetite for smaller
in return achieving greater protection from larger, catastrophic events.
The recommendation to ARC is that the level of cover should not be reduced across any of
the policies. Furthermore, exploration should be made on the cyber policies to identify the
impact on the premium of} IRRELEVANT
ARC is requested to discuss the options and advise on its preferred approach. Additionally
delegated authority is sought for the Group CEO and CFO to finalise terms of the renewal.
Strictly Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 95 of 212
UKG100044334
UKG100044334
Tab 6 Corporate Insurance Renewal
1. What are the latest premium forecasts?
2. Can we amend our strategy to reduce the premium increases?
Report
What are the latest premium forecasts?
1. As presented in the July 2021 ARC paper, insurance premiums were forecast to increase
by: i from those paid in the 2020 renewal, from in total.
2. Latest view indicates the increase could be closer to: for
the 2021 renewal.
with premiums of
3. The primary drivers behind the increase from 2020 to 2021 are increased market
pressures in Crime, D&O, Professional Indemnity and Cyber. All these classes of
insurance have been impacted by the wider ‘hardening’ of the insurance market in
recent years, driven by many years of over-supply of insurer capacity and increases in
claims activity, in particular for Crime, D&O and Cyber.
4. The cyber risk landscape has changed very significantly in the past 5 years and
continues to rapidly develop. The cyber insurance market is relatively immature and
insurers participating have become increasingly uncomfortable with the risks emerging
and the size and level of claims (especially in areas such as ransomware, data breach
and business interruption). This has led to a flight of capacity from the market, reduced
insurer appetite, greater focus on a client’s risk quality and very significant increases to
premiums.
5. The below table outlines the historical premiums and forecast premiums for the policies
in place:
Policy 2019/20 Inception 2020/2021 Renewed —_ Forecast for 2021/22 Forecast for 2021/22
Premit Annual Premi
Crime/Specie
Directors & Officers
Cyber
Professional Indemnity
Combined Liability
=~ IRRELEVANT
Sabotage & Terrorism
Personal Accident &
Business Travel
Special Contingency *
Total Premium
(excluding taxes)
Strictly Confidential
96 of 212 Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
Tab 6 Corporate Insurance Renewal
Can we amend o our ir strategy to 0 reduce the premium increases?
6. The pre-renewal strategy previously shared with ARC, see Appendix 1, set out a number
of strategies for managing the challenges of the insurance market and for mitigating the
cost pressures anticipated. We have set out below some specific areas for further
examination and consideration.
Crime / Specie:
7. As provided last year Lockton can obtain ani.
structure, _whereby t
but removes areas of cover such a:
which is cu
deductible)
(amongst o'
IRRELEVANT.
9. This approach is expected to be compliant with the terms of th
both of which would need to be
reconfirmed if we progress this as an option.
10. When this option was considered as part of the 2020 renewal it was deemed that the
We ask ARC to consider
its views for the 2021 renewal.
Cyber
What are other companies doing to manage the increases in premiums?
11. Our insurance brokers, Lockton, have advised us that all their corporate customers
buying Cyber insurance are experiencing significant pressure on premium, deductibles
and cover.
han ever
13. Our brokers have seen cases of businesses accelerating plans around areas such as
in order to be able to obtain cyber insurance, whilst many buyers are taking significantly
higher self-insured retentions (some imposed, some voluntary) to mitigate cost
increases.
14. It is less common for companies to b
buyers with high limits (in excess of}
the capacity they need.
ing their policy limits - although some
lave experienced challenges in obtaining
Strictly Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 97 of 212
Tab 6 Cor
UKG100044334
UKG100044334
rporate Insurance Renewal
98 of 212
ooo
17. Cyber risk remains an area of concern across the business community and as such we
also propose obtaining quotations to allow us to consider an increase in our current limit
of indemnity fro } We will also obtain quotations for points between
This approach would see POL! IRRELEVANT
Jand we are
cognisant of this as an issue to address should we wish to change the basis of our cover.
Directors and Officers
20. There are limited options available to limit premium increases beyond the broking
strategies outlined in the previous paper to ARC, which largely focused on close
engagement with the insurers and ensuring their view of the POL risk is as po:
can be achieved. The structural option IRRELEVANT
Professional Indemnity
21. We will explore deductible options to assess the cost mitigations available. However,
contractual and regulatory requirements (e.g. FCA) restrict what we can do with policy
limits and therefore reductions may not be possible.
Next steps
22. We request that ARC provide their view on the options available regarding insurance
premiums and options available and provide delegated authority for the Group CEO and
CFO to finalise the terms of the renewals.
23. Subsequent to this, and when the timetable allows, accurate renewal terms will be
obtained and entered into, factoring in changes in policy cover as required.
Strictly Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
Tab 7 Whistleblowing Policy Interim Review
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
Title: Whistleblowing Report festing 28" September 2021
Sally Smith, Money Laundering
Author: Reporting Officer & Sponsor: Ben Foat, Group General Counsel
Head of Financial Crime
Input Sought: Noting
The Committee is asked to:
* review the whistleblowing report and progress against action plan as part of its role in
monitoring the adequacy and effectiveness of the Group’s whistleblowing systems and
controls
Previous Governance Oversight
e Whistleblowing Policy Review and Report March 2021 7
Executive Summary
Since the March report a high number of actions have been completed or progressed and a
number of changes implemented to whistleblowing processes which have further strengthened
the controls.
Comparison of 2019/20 and 2021/20 has not identified any significant changes, albeit that
following training and communications delivered March-April 2021, we have seen an increase
in reporting and engagement with teams across Post Office dealing with complaints and issues.
The Protect self-assessment and benchmarking exercise is going to be re-run in October, and
the results should see a significant improvement in scores relating to Engagement and
Operations reflecting the changes implemented and the increased maturity of approach.
Questions addressed
1. I What progress is being made against the action plan agreed in March 2021, and what
additional improvements have been identified?
2. Is there anything of concern identified from a review of the reports received 2020/21
compared to 2019/20?
3. Are the current whistleblowing arrangements adequate in light of the GLO and the Public
Inquiry?
Report
4. Since the last report in March 2021, the following activities have been delivered:
« Mandatory Whistleblowing training delivered to all employees via Success Factors
+ A One Website article was published for Postmasters, together with a podcast from
Zarin Patel, the Whistleblowing Champion, to raise awareness of the importance of
speaking up.
* The Postmaster Support Guide was updated to add additional information about
whistleblowing.
CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 99 of 212
UKG100044334
UKG100044334
Tab 7 Whistleblowing Policy Interim Review
+ In tn April, all employees were notified about the “Public Inquiry Whistleblowing Survey
and encouraged to take part.
* The new Whistleblowing Manager started in May and the Whistleblowing Team have
commenced quarterly meetings with Zarin Patel - two meetings have taken place to
date.
+ Provided training and coaching to Customer and Postmaster Support teams within Post
Office to help them to identify reports or complaints that should be referred to the
Whistleblowing Team. We have started to see an increase in referrals from the
Customer Support Team.
+ Developed and deployed a new investigations pro-forma to ensure full and consistent
documentation of the investigation and capture of lessons learnt/corrective actions.
* The new Whistleblowing Manager is making regular contact with whistleblowers
(where they have not reporting anonymously) and is undertaking a large part of the
investigation work, or providing coaching and oversight where the investigations are
assigned to other managers across Post Office.
« The monthly MI pack has been enhanced to provide a broader view of activities and
outcomes to senior stakeholders. The pack is now distributed monthly to all GE 7
members.
+ Migrated the external Speak Up service from Navex to Convercent from 1%* August —
the new service offers a much improved case management system and MI/Analytics
platform, at a reduced cost. The new service also has a dedicated Post Office phone
line (which could be transferred if there are any future provider changes) and a unique
Post Office URL (speakup.postoffice.co.uk).
+ Additionally, the contract with the new provider enables us to formally open up the
external service to Postmasters and communications on this are planned for
September. We are also in discussions with internal teams to develop and deliver
speak up/whistleblowing posters to all branches and back office locations.
* Having reviewed the Whistleblowing processes and controls within Post Office Group
as part of the Protect self-assessment and benchmarking, the need for an independent
team to complete investigations was identified. This ensures independence,
consistency in the depth and quality of investigations and removes the risk of bias in
an investigation (either conscious or unconscious), Funding approval was obtained
for two full time Compliance Investigations Officers and offers have been made for
both roles, with the individuals joining the team from early October.
Pending the start of the new Compliance Investigations Officers, a temporary support
was recruited at the beginning of September to assist with the migration of the historic
whistleblowing cases onto the new case management platform, develop new MI and
dashboards and document all investigation, case management and MI processes.
5. Due to the delay in the Public Inquiry, the opportunity has been taken to delay re-running
the Protect self-assessment and benchmarking as this gives more time to implement
changes and improvements. An employee survey is planned for September and we will
re-run the self-assessment and benchmarking in October.
6. Additionally, the documentation of processes and procedures was delayed, once the need
to move to a new external provider was identified in June. Work on this should now be
complete by the beginning of October.
CONFIDENTIAL
100 of 212 Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
Tab 7 Whistleblowing Policy Interim Review
Review of MI
7. Whilst the number of cases received 2019/20 and 2020/21 remains steady at 41 and 43
respectfully, due to the recent initiatives to raise awareness of the whistleblowing service
and promote a speak up culture within the business we have seen 34 cases up to Period
5 2021/22, averaging 7 cases per month we currently predict therefore a 90%+ increase
in 2021/22.
8. Of the 43 reports received in 2020/21; 33% were raised by Agent Assistants, 27% by Post
Office Employees and 13% by members of the public. The remaining 27% were
anonymous. (see Appendix A for summary of 2020/21 MI).
9. Despite a number of well publicised reports across organisations of a high level of Covid-
related reports since March 2020, only 3 Covid concerns were raised via Post Office
whistleblowing channels, which appears to indicate that the measures put in place and the
information provided by Post Office were robust.
10. The majority of reports received in 2020/21 related to Postmasters, with 73% being
unsubstantiated. Of the 4 substantiated reports:
« One related to allegations by a Postmaster assistant of mails fraud and resulted in the 7
termination of the Postmaster contract
+* One related to an anonymous report regarding cash discrepancies. The Postmaster
was suspended and arranged to repay the monies owing
+ Two related to the sharing of SmartIDs (evidence of use of one Postmaster’s own ID
when he was out of the country and other Postmaster admitted sharing). Dealt with
via Contracts and regular ongoing oversight by Area Managers. A communication has
also gone out to the Network re-confirming SmartID procedures.
11. A further 8 cases were substantiated, relating to a number of issues:
« An employee posting inappropriate comments on social media
« Theft by a Postmaster assistant
+ Non-conformance by employees with Post Office policy and procedures
« Employee SmartID mis-use
* One allegation of employees not following Covid-19 isolation requirements
12. We have seen a decrease in the number of cases raised via the Speak Up line and an
increase in them coming directly to the Whistleblowing mailbox, although we have been
unable to identify un underlying reason for this.
13. In the last few months’ we have seen the largest volume of cases (38% / 13 reports) from
referrals from the Customer Support Team. This has been driven by coaching and
collaboration between the Whistleblowing and the Customer Support teams.
Conclusions and recommendations
14. A number of actions have been taken to address the areas for improvement highlighted
in the Protect self-assessment and there is an ongoing programme of improvement (see
Appendix B for the latest action plan). Key to this is ensuring that the Whistleblowing
Champion and the GE receive a monthly dashboard showing current reports, issues and
trends, enabling them to provide further oversight and governance. The new Convercent
Case Management system will allow the dashboard to be further enriched.
CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 101 of 212
UKG100044334
UKG100044334
Tab 7 Whistleblowing Policy Interim Review
15. The approval and recruitment of dedicated Compliance Investigations Officers will ensure
independence and consistency in all future investigations and ensure that regular feedback
is obtained from whistleblowers to ensure we can enhance the service.
16. The relationship with the new Whistleblowing Champion is established and is working well
to provide independent oversight of activities, test the opportunities to identify further
areas for improvement and maintain focus on the importance of speaking up.
17. Working closely with Customer and Postmaster Support teams is ensuring that a joined
up approach to understanding issues across the business is achieved, albeit further work
is planned to improve this further.
18. From the review of MI and current activities, no concerns have been identified relating to
the GLO or the Public Inquiry, although further work is planned to raise awareness across
both employees, Postmasters and their teams about the importance of speaking up if
individuals have concerns.
CONFIDENTIAL
102 of 212 Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
O/ Starling)
ITTEE REF
H1 Legal Risk Review Report 21/22
28" September 2021
Author: Sarah Gray, Group Legal Director Ben Foat, Group General Counsel
Strictly Confidential & Legally Privileged
nmittee-28/09/21 103 of 212
Office Limited - Audit, Risk & Compliance
UKG100044334
UKG100044334
Strictly Confidential & Legally Privileged
UKGI00044334
UKGI00044334
Tab 8.1 Legal Risk Review
(non-GLO/
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
105 of 212
UKGI00044334
UKGI00044334
Tab 8.1 Legal Risk Review (non-GLO/ Starling)
106 of 212
I
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
3
UKGI00044334
UKGI00044334
Tab 8.1 Legal Risk Revi
I
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
Strictly Confidential & Legally Privileged
107 of 212
12 40 BOL
Lz160/82-22piuMoD souelid.wos = ¥SIY "PNY ~ PBL COWO 3804
Strictly Confidential & Legally Privileged
UKG100044334
UKG100044334
inoy she 12629 18 4eL
Lz160/82-22piuMoD souelid.wos = ¥SIY "PNY ~ PBL COWO 3804
Z1z 0 64
Strictly Confidential & Legally Privileged
UKG100044334
UKG100044334
ry 1e29 8 qeL
1]
1S /0"10-UOU) Marna ¥
1240 01L
Lz160/82-22piuMoD souelid.wos = ¥SIY "PNY ~ PBL COWO 3804
Strictly Confidential & Legally Privileged
UKG100044334
UKG100044334
inoy she 12629 18 4eL
UKGI00044334
UKGI00044334
Tab 8.1 Legal Risk Review (non-GLO/ Si
;
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
Strictly Confidential & Legally Privileged
111 of 212
LZ 4OZ1L
Lz160/82-22piuMoD souelid.wos = ¥SIY "PNY ~ PBL COWO 3804
Strictly Confidential & Legally Privileged
UKG100044334
UKG100044334
inoy she 12629 18 4eL
UKGI00044334
UKGI00044334
Tab 8.1 Legal j 3k Review (non-GLO/ St
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
qi
Strictly Confidential & Legally Privileged
118 of 212
1240 PLL
Lz160/82-22piuMoD souelid.wos = ¥SIY "PNY ~ PBL COWO 3804
Strictly Confidential & Legally Privileged
UKG100044334
UKG100044334
inoy she 12629 18 4eL
Lz160/82-22piuMoD souelid.wos = ¥SIY "PNY ~ PBL COWO 3804
JOSbL
ziz
Strictly Confidential & Legally Privileged
UKG100044334
UKG100044334
ry 1e29 8 qeL
1]
1S /0"10-UOU) Marna ¥
1240. 91L
Lz160/82-22piuMoD souelid.wos = ¥SIY "PNY ~ PBL COWO 3804
Strictly Confidential & Legally Privileged
UKG100044334
UKG100044334
inoy she 12629 18 4eL
UKGI00044334
UKGI00044334
Tab 8.1 Legal Risk Review (non-GLO/ Si
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
1s
Strictly Confidential & Legally Privileged
117 of 2
UKG100044334
UKG100044334
Tab 8.2 Contract Management Framework Controls cover paper
POST OFFICE LIMITED
AUDIT, RISK AND COMPLIANCE COMMITTEE REPORT
setae Annual Contract Management . .
Title: Framework Report Meeting Date: I 28 September 2021
. Sarah Gray: Group Legal . Ben Foat: Group General
Authors Director Sponsor: Counsel
Input Sought:
The ARC is asked to note the steps taken and planned to encourage ongoing compliance with
the Contract Management Framework.
Previous Governance Oversight
Post Office ARC Meeting of 25 November 2019.
Project Review Board of 14 January 2020 and GE Tactical Meeting of 12 February 2020.
Post Office RCC Meeting of 10 March 2020 and ARC Meeting of 26 March 2020.
Post Office RCC Meeting of 6 May 2020 and ARC Meeting of 19 May 2020.
Post Office RCC Meeting of 10 September 2020 and ARC Meeting of 22 September 2020.
Post Office RCC Meeting of 14 September 2021 and GE Tactical Meeting of 22 September
2021.
Executive Summary
1. c1,250 contracts have now been uploaded onto Web3 with new processes and controls in
place to mitigate the risk of new contracts not being managed effectively.
2. The responsibilities which accompany being a Contract Manager are often not reflected in
individuals’ Objectives and Personal Development Reviews. This makes conformance with
the Contract Management Framework difficult to enforce as presently, there are no real
consequences for individuals when responsibilities are not discharged.
3. In order to mitigate the risks associated with poor contract management, it has been
recommended that i) a senior individual within each business unit is made accountable for
ensuring Contract Managers effectively manage contracts in their business unit and in
accordance with the Contract Management Framework; or ii) where a GE member has less
contract managers in their business unit, they act as a direct liaison point between the CMF
Paralegal and contract managers.
Questions addressed
1. How has the Contract Management Framework been implemented since the ARC approvals
of 22 September 2020?
2. What further should be done to embed contract management across the Post Office Group?
Report
1. Across its Group’ (“The Group”) Post Offices operates a decentralised contract management
model whereby individuals across the business are responsible for managing relationships
between Post Office, vendors, and the respective contracts. This model was recommended
* Post Office Limited, Payzone Bill Payments Limited, Post Office Management Services.
Confidential
118 of 212 Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
Tab 8.2 Contract Management Framework Controls cover paper
to; and approved at ARC in November 2019 on the basis of it being more cost efficient and
less disruptive than creating a centralised contract management team. This was piloted
with the most material contracts that The Group was party to, as identified by the Group
Executive (“GE”) and their direct reports (“GE-1”). The Pilot completed in June 2020 and
the ARC approved the recommended approach for remediating? non material contracts over
their respective contractual lifecycles e.g. as they are renewed, cease or new agreements
are entered into. The final version of the Framework was approved at the ARC in September
2020.
2. To accelerate Post Office having a view of its full contractual landscape, the legal team has
worked closely with the procurement and programme teams to locate and upload onto the
Web3? contracts which are in effect with suppliers (expenditure) and clients (revenue
generating). This has resulted in an additional c600 contracts being uploaded onto Web3.
3. On 9 November 2020 new processes came into effect. The Group General Counsel issued
a business wide communication stating that contracts could no longer be executed without
a contract record having first been created on Web3. If Contract Approval Forms are
received by the Company Secretariat without the associated Web3 reference, these are
now rejected. In total, there are now c1,250 contracts on Web3 (Post Office: 1,081,
Payzone: 81, Post Office Insurance: 71).
4. To support Contract Managers, embed the new requirements, and enable compliance with
the Framework:
a. The LCG Academy deliver regular ‘drop in sessions’ to provide training on contract
management and how to map legal obligations. Initially these were delivered on a
fortnightly basis but are now delivered monthly. We estimate training has been
delivered to c80 Contract Managers across The Group*. In addition the Company
Secretariat continue to deliver training across the Group on the Contract Approval
Process.
Both sets of training are recorded, with videos (along with all other documented
guidance) hosted on the LCG Contract Management Intranet page®. Training will also
go live Success Factors in October, which will be available to colleagues across the
Group and will be mandated for all new employees, as part of their induction.
b. A number of changes have also been made to the Web3 Contract Management Module
and eCAF application to improve the user experience, make them more intuitive for the
business to use and, as by-product, reduce the number of questions the Company
Secretariat and Contract Management teams receive and have to respond to. The
2 Contract Managers and Contract Owners appointed, Contract uploaded onto Web3, legal obligations mapped.
>The current web-based eProcurement platform which Contract Managers use in order to manage their contracts. The tool is
managed by the Procurement Team. However, assistance in relation to the functionalities of Web3 can be offered by the Contract
Management team, which sits in the Legal team. The system is “source to settle” meaning it integrates on one platform the
sourcing of suppliers through to the purchasing of goods or services. It provides a platform for contract drafting, Management and
execution via an integrated DocuSign function and therefore acts as a database for the all contracts to which The Group is party
to.
“ Training will be offered specifically to those Contract Managers who have not yet received training.
5 https://poluk.sharepoint.com/sites/Icg/SitePages/Contract-Management-Framework.aspx
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 119 of 212
UKG100044334
UKG100044334
Tab 8.2 Contract Management Framework Controls cover paper
changes made to the Web3 Contract Management module will also improve the
business's ability to report on client and supplier contracts. Improvements include but
are not limited to:
« Reporting functionality from Docusign to enable the identification of any contracts
signed without a CAF. This allows the Company Secretariat to identify any
instances of non-conformance with the Contract Execution Policy.
e The inclusion of an additional field on Web3 to capture whether a contract is a
supplier contract or client contract (i.e. revenue generating or expenditure).
e Requiring evidence that the counterparty has agreed to electronic execution and
has the authority to sign on behalf of the counterparty.
e The CAF and Web3 are separate systems which do not ‘talk’ to one another. The
CAF now includes a mandatory field for the contract record reference on Web3, to
enable cross referencing.
e The addition of a final review page on the CAF, to enable users to check that all
of the information they have inputted is correct, ahead of submission, to reduce
the number of submissions which need to be rejected.
A number of further tactical improvements are planned. These are set out in annex C.
c. There is now dedicated BAU support through the appointment of a CMF Paralegal who
joined the Post Office Legal Team in June 2021 — post, as planned, the CMF programme
and its associated funding ending on 31 May 2021.
5. The combination of the above, plus other controls such as Contract Managers receiving
automated alerts as a contract approaches its expiry date® should enable the effective
management of contracts via a clear and standardised management, risk and governance
framework. However, as included in the most recent biannual Legal Risk Report, we
continue to see:
e Contracts expiring without new written contracts being put in place.
«Services being provided or received from third parties without a contract in place.
«Key contractual obligations not being understood or monitored leading to breach of
contract and rights and benefits under the contract not being received.
e Wasted spend and resources arising from poor planning.
e Contract Owners and Contract Managers leaving The Group without transferring their
responsibilities to a colleague.
6. Owing to the aforementioned decentralised model, there are c150 Contract Managers that
have been identified across Post Office. The split by business unit is provided in Annex A.
Owing to the number of Contract Managers across the Group, it is difficult to enforce
accountability and consequences amongst this population for not discharging all of the
responsibilities which accompany being appointed as a Contact Manager. In the main, they
are not reflected in individuals’ objectives, nor do they form part of bi-annual Performance
Development Review (“PDR”) discussions.
© 120, 90, 60, and 30 days ahead of the contract ending.
Confidential
120 of 212 Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKGI00044334
Tab 8.2 Contract Management Framework Controls cover paper
7. To reinforce the importance of good contract management, the GE have been asked to
assign a direct report to be accountable for ensuring the Contract Managers managing
contracts within their business unit discharge their responsibilities. This will include
ensuring that there is an appropriate handover (using the template included at annex D)
when contract management responsibilities move. These individuals will receive a monthly
report from the CMF Paralegal which details, for example, the Contract Owner and Contract
Manager for each relevant contract, the counterparty, obligations (where they have been
mapped), contract term and termination date. This accountability will be reflected in the
individual’s quarterly objectives and feature in the PDR discussions.
4. The roles and responsibilities for managing each individual contract will remain unchanged
(and as set out within the below table). Members of GE will however now be supported by
an individual within each business unit checking their Contract Managers are discharging
these responsibilities. Where member of GE have fewer Contract Managers in their business
Unit, they will act as a direct liaison point between the CMF Paralegal and contract
managers.
Annex A: Number of Contract Managers by Area of the
Business
Group Chief I Group Chief I Retail & I Group I Group I Group Group Group Business
Commercial I Operating I Franchise I Chief I Chief I Chief General Corporate I Transformation
officer: c40 Officer: c10 I Network clo: CFO: I People I Counsel: I Affairs — & I Director: c2
Director: I c16 28 Officer: I c17 Comms
4 10 Director:
14
Annex B: Roles of the Contract Owner and Contract
Manager
Contract Owner * Person accountable for the budget/cost centre that funds the contract and the
(CO) performance of the contract
Employee with delegation to approve contract payments and variations
Appoints the contract management roles
Recommended to be a senior employee who is impacted by the contract outcomes
Day-to-day management of contract lifecycle from tender to exit
Single point of contact for suppliers and partners on all contract matters
Monitor contract performance and compliance
Recommended to be a representative within the business unit with the relevant.
skills
* Perform administrative activities over the contract management lifecycle (e.g.
information management, support change request processes, variations, cost
control, etc.)
Contract Manager
(cM)
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 121 of 212
UKG100044334
UKG100044334
Tab 8.2 Contract Management Framework Controls cover paper
Annex C: Planned Tactical Improvements
1. Extension Agreements — Records are being created solely for extension agreements and not being added to the
original record for the original agreement, or where there is no existing record on Web3 for the original
agreement, a new record is being created solely for the extension and named as a new contract.
The Extension/Variation/CCN option in the document type drop down field is being removed. Training and
Business User Guides need to be updated to include further detail of the steps to be taken when uploading an
extension agreement or a renewal.
2. Records Ending — Existing records are being allowed to expire prior to an extension being uploaded meaning that
there are numerous requests for the record to be returned to draft in order to change the end date and add the
extension agreement. There is also no check being carried out as to whether the agreement being added is an
extension or a renewal.
CM's already receive alerts that a record is coming up for expiry but do not seem to be acting on these. The
proposal is for the GE to identify a direct report who would be accountable for ensuring the Contract Managers
managing contracts within their business unit discharge their responsibilities.
3. Contract Search — When using the Contract Search function searching by Supplier name the entries which appear
in the tabs do not include the Supplier and are often not for the Supplier which has been searched for. It also does
not display the name of the CM. This makes it difficult and time consuming for individuals to identify the correct
record.
Supplier name and CM to the fields which appear when searching for a record.
4. Groupings — Records are saved under specific business groupings however when stakeholders move to different
areas of the business, they have access issues as they are sometimes unable to see records under a different
grouping.
The proposal is for the GE to identify a direct report who would be accountable for ensuring the Contract
Managers managing contracts within their business unit discharge their responsibilities
5. Multiple Records — There are often multiple records created for the same agreement as individuals are not first
checking whether a record already exists or if the CAF submission has been rejected, they think a new Web3
record needs to be created.
The training and user guides are being updated to emphasise the need for a search to be carried out to identify
whether a record already exists on Web3 for that Supplier/Agreement prior to a new record being created. Adding
the Supplier name in the tab which appears when searching for contracts will also be beneficial as a remedy to
this issue so that records can be more easily identified.
6. Alert to action record in Draft — There is no functionality for an alert to be sent to the CM or the creator of a
Web3 record which has been left in Draft. This has resulted in duplicate draft records being created or records
left in draft status and not sent for approval. There are currently 309 draft records on Web3.
Draft records will be deleted f they are not sent for approval.
Confidential
122 of 212 Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
Tab 8.2 Contract Management Framework Controls cover paper
7. Contract Manager Incorrect — The Contract Manager listed on Web3 is often incorrect, this is mainly due to the
UKG100044334
UKG100044334
creation of records being delegated to someone who either does not know who the CM should be or puts
themselves as CM so that the CAF can be approved.
An alert is now sent to CMs when they are appointed as CM for a particular contract, which enables them to
challenge this, if it is not correct. CM field to also be added to the eCAF, to enable cross referencing and disparities
to be challenged.
Annex D: Contract Management Handover Template
Post Office Limited - Contract Manager Handover Tmeplate
IName of Contract Owner:
Name of Contract Manager:
Business Unit:
[Supplier Name
Supplier Number (i.e 301234)
[Third Party Sub-Contractor:
Contract Title
ICAF Number:
Contract Signature date:
Contracting entity
Contract Type:
Material or Non-Material:
Right of assignment/ novation
Contract Description (goods/servi
ices/ what will be delivered)
Development of the digital ident
‘ity product and associated services
Key Dates/ Milestones
Extension Options? SLA? KPIs?
Contract Value
Yra Yr2 Yr3 Yr Yr5 Total
£0.00)
Yré Yr7 Yr8 Yr Y¥r10 Grand Total
£0.00
[Start Date: Minimum Term End Date:
Exit Notice Period: Review Date:
Exit Period Data recovery on exit:
Procurement Category Manager
Procurement Category
Requirements tab):
Supplier Segmentation Status (see SRM.
Procurement Project number (Bravo/Wax):
Procurement Process
Procurement Method:
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
123 of 212
Tab 8.2 Contract Management Framework Controls cover paper
UKG100044334
UKG100044334
Value of indemnities/ Liabilities:
Contract Risks:
Commercial Risks:
[Termination Rights:
Termination Period:
Obligations: key dates and key metrics arising from regulstions of other obligations which must be reviewed (must do, should do)
[Applicable Regulations?
vr yr2 v3 yea ves Total
Savings £0.00
Cost Avoidance £0.00
Yr6 Ye? vrs veo Y¥r40 Grand Total
Savings £0.00
Cost Avoidance £0.00
[Additional benefits not covered in Savings (such as: compliance, efficiency, sustainability, revenue generation):
Confidential
124 of 212 Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKGI00044334
Tab 8.2 Contract Management Framework Controls cover paper
POST
OFF
[Acknowledged and Endorsed
Procurement Owner: Date
Contract Owner: Date:
Business Owner: Date:
Legal Owner: Date:
Contract Manager: Date
Vendor Manager: Date
Finance Owner: Date
8
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 125 of 212
UKGI00044334
UKGI00044334
Tab 8.3 Contract Management Framework & Appendices
Page 2 of 36
Contract Management Framework
For Post Office and its Group Companies (Post Office Management
Services Limited (POMS / POI) and Payzone Bill Payment Limited (PZBPL))
Date Version Updated by Change Details
Sarah J Gray/ Renata
01 September 2020 I 3 Prywerek Final
24 August 2021 4 Sarah J Gray / Mark [Updating links to the relevant
Underwood Intranet Pages. Introduction
lof a Contract Management
[Handover Template
I. Otherwise stylistic.
In this guide “Post Office” includes Post Office Limited, Post Office Management Services Limited
and Payzone Bill Payments Limited.
126 of 212 Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
8.3
Tab 8.3 Contract Management Framework & Appendices
Page 2 of 36
1. INTRODUCTION ooo. eeeeee cece eee nee eraser enna eee eee 4
2. RELATIONSHIP MANAGEMENT AND PROCESSES .......ccsscscceceseseeessseeeeeeeseseeeesesnaeeeees 6
2.1. Contractual landscape at Post OffIC@...........cccccssssseceeeseeeessesseeeeeeseeeeessasseeeeeererensenees 6
2.2. PIANMING veeeseescseesestesessesessessesecseseeseseseeseseeseesesueseseesessesustesneaesneaesnesesseeneseeneeteneeee 6
2.3. I Onboarding and tenders
2.4. I Contract Management Team - Roles & Responsibilities
2.4.1. Responsibilities of the Contract Owner
2.4.2. Responsibilities of the Contract Mamage? .........cseeceseeceseeeeeereeseeeeeeaueueeneesseeeeeesunnenees 9
2.4.3. Teams supporting the Contract Managers and Contract OWNETS .........::seeeseeeeeeeeeeeeee 10
2.5. WEB3 - Digital Contract Management TOO]..........:ccccseseesesseseeeeeeeseeeseseaseeeeeeeeeeensans 11
2.6. Assessment and Acceptance Of RISK ......c.ccccsceeseeeeeeeeeeeeeeeeeeeeseeeeeeeeeeeueeeeeeeeeeenennaee 13
2.7. — Contract APProval .........cccccccecsseeeeseceeseeceeeeeueneuseseeceeeaeuueaseeseeeeeeeseesauseseeeeeesseeeae® 13
2.7.1. Authority to SIQh......cccccceececeeceeeseeeeeeeeeeeeeeeaeeeeeeeeseeeeeeaeeeseeeeseeeeeeaeensaeeeseeeeeeenennaee 14
2.8. Execution of Contracts Flowchart .
2.9. Storage of Contracts
3. CONTRACT MANAGEMENT IN DETAIL,
3.1. Contractual Terms......scsssccsssssscsscsseeetsssecsassessccetsaseecessesceeisasessassessecesnseeseassenaes 17
3.2. Risk Management.
3.3. Developing Internal and External Relationships.........ccccssssesessesesseetsseseseeteseeseenease 17
3.4. Payment And DUdGEtS «0.0... ee ceeceeeeeeeeeeeeeeseeetsaaeeeeeeeseeseeaseeeeeeeeeeeensaaseeeeeeeeeeensans 18
3.5. Contract REVICW ....eeeceeee teeter nee te ete tte ete tte teenie etetieeneetesneetiretiagieeiesnieeneens 18
3.6. Managing wider market iSSUCS........:e:ccccecceeeseeseeeereeeeeeanuuuaeeeseeseeeasuusueeereesereeananae® 19
3.7. Handling of contract changes....
3.8. I Manage Complaints and Disputes. 19
3.9. Escalation and reporting of issues
3.10. Contract ClOS€ -OUt..... se eeeeeeee tiene teeetneeneteeetieetetneetteenneenietieenneenatieeiesneeseeens 20
3.11. Managing re-procureMent.........ccccceeeeececeeeeiteeeeeeeeenennteteeeeeeeeeeenianeeeeeeeeeeenaee 20
3.12. Final Performance REViGW .......c cece tice e tee ete tienen tteetiectietteeteneeteeee 21
3.13. Ma@maging Transition ........cccccecsseseesseceeseeceeeeeueneeseeeeceeeeuueeaeeeseeseeeauaesaueeeeeeeeeseeenae® 21
4. TOOLS FOR CONTRACT MANAGERS. ......ccccccccceeseesetseeeeeeeeeeeeennseeeeeeeeeseeenseaaeeeeeeeees
5. THE FRAMEWORK CONTROLS AND GOVERNANCE
5.1. Responsibility .
5.2. Framework Approval 23
Annex 1 - Control Standards
Annex 2 - Partner Management Guide..........:.cceeeeseeseeseeseeeneueeeeeeeeeeeeauuneaeerteeseneeeenneereees 26
1. OVEFVIEW wiseeesseeesseeestnreessteeeseneeesseeessreseneesenseeestiaeeriiesesseesnserenieasentinesenstesentees 26
1.1, Partner segmentation ......ccccscssesesssssesesessescsssssvavavssssssestsvsvsssscseacsssescavansisitavavavseeets 26
1.2. Due diligene....... cc ccecceeeeeeeeeeeeeeeneeeeeeeeeeeeeeeeeeeeseeeeeeaeeseeeeeseeeeeeaeeneeeeseeeeeeaeennneeeeees 26
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
8.3
127 of 212
Tab 8.3 Contract Management Framework & Appendices
128 of 212
2.1.
2.2.
2.3.
3.1.
3.2.
3.3.
3.4,
3.5.
3.6.
Page 3 of 36
Partner Relationship Management (PRM)
Why do we need to do partner management?
What PRM includes? ......:esceeeeeeeereeees
When does partner management need to happen? .........:ecsssseseeseeseeeeeeeeeeeeseeeeeeeseeeeee 28
Partner Segmentation....
What is partner segmentation and when should it happen? .........ceceeeeeesseeeeseeeeeeeneeeeee 29
How to Segment partners? ......cccccccescsesesseeescssscsseecscessesenecssacieisessesesnaessetieeneesasenes 29
Description Of SEQMENtS..........ccccceeeeeeeeeeeeeeeeeeeeeeaeeeseeseeeeaueeeeeeseeeeeeeeeesaeeeeeeeeeeeeeee 29
Partner Segregation Matrix
Partner Segmentation Tool
Required Partner Management Activities
APPENDIX 1 - Detailed Supplier Management requirements and guidance .
APPENDIX 2 — IT Supplier Segmentation ..........:cccceccseseeseeeeeeeeceeeeneneneerseeseeesauseneereee® 36
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
8.3
UKG100044334
UKG100044334
Tab 8.3 Contract Management Framework & Appendices
Page 4 of 36
1. INTRODUCTION
1.1. Purpose
The purpose of this Framework is to provide a clear and standardised management, risk and
governance framework that must be complied with in order for Post Office to manage its contracts
with suppliers and clients effectively.
A Supplier is a company that delivers services to Post Office, whereas a Client is any other
company that has a contractual relationship with Post Office e.g. where Post Office delivers
services or products. For the purposes of this Framework we will refer to Supplier and Clients as
being Partners.
1.2. Objectives
The Framework sets out the internal controls and operational standards to be adhered to.. Managing
contracts with Partners in accordance with the Framework will reduce the likelihood of the risks
associated with poor contract management from crystallising. Examples are provided in section
1.4..
1.3. The Scope
Post Office operates a decentralised contract management model with support from centralised
services such as Procurement and Legal. The Framework covers the entirety of contractual
‘lifecycle’ - from the establishment of the business case and confirmation of need, through to the
contract administration and relationship management and finally, contract close-out. The lifecycle
of a contract can be divided into three interdependent phases:
8.3
Phase 1 - Transition:
« Contract Award.
* Contract Classification, based upon value and risk.
« Assignment of Contract Management Roles.
« Finalise Contract Management Plan.
« Set up information management structure.
Phase 2 - Contract Management:
« Performance.
¢ Administration.
«Risk.
e Extensions / Renewals / Variations.
Phase 3 - Close Out:
« Performance review.
« Lessons learnt.
* Close out / transition.
1.4. Benefits
Effective Partner and contract management is important. It enables Post Office to:
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 129 of 212
Tab 8.3 Contract Management Framework & Appendices
130 of 212
Page 5 of 36
« On-board new Partners in accordance with the prescribed processes designed to protect
Post Office from engaging with inadequate partners;
e Enter into contracts which include only acceptable and manageable risks;
« Ensure awareness of its rights under the contract;
« Bring the best outcomes to customers by evolving and developing new solutions with its
Partners;
« Ensure ongoing contract compliance and performance, reducing contractual risks through
robust contract management practices;
« Effectively deliver contracts at or under the agreed costs and rates and identify savings
and revenue opportunities throughout the contract management process;
« Efficiently exit and on-board replacement Partners to continue providing its products and
services with a minimum impact on customers;
«Ensure the probity of the ongoing procurement activities;
« Maximise outcomes to Post Office by ongoing management of performance - reducing the
likelihood of
o Disruption to the delivery of goods or services to the business;
o Disputes, contractual issues and exposure to potential claims;
o Reputational damage; and
o Negligent and fraudulent behaviour by employees and contractors.
e Ensure Contract Owners and Contract Managers understand their responsibilities in
relation to the contract management process.
1.5. Framework Overview
The Framework provides information on all the stages that a Contact Manager and Owner need
to consider when managing a relationship with a Partner. Detail on each of the stages is provided
in section 2 of the Framework.
Planning: Is
the
Acceptance of
‘On-
Contract
relationship ‘Contract Riskand
consistent oe Formation Contract leew ee!
with business a Execution
strategy
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
8.3
UKG100044334
UKGI00044334
Tab 8.3 Contract Management Framework & Appendices
Page 6 of 36
2. RELATIONSHIP MANAGEMENT AND PROCESSES
2.1. Contractual landscape at Post Office
Post Office enters into a number of different contracts in the course of day-to-day business and
are one of the main tools used to manage its relationships with Partners. Supplier contracts are
particularly common given most products or services currently sold by the Post Office (with the
exception of Postal Orders) are white labelled (i.e. produced or belonging by another company)
and therefore to provide these products or services effectively, Post Office needs to work with its
Partners.
The following diagram illustrates some of the different types of contracts that Post Office may enter
into to cover the network of relationships it is party to:
Fisctonsee: aepscennnenie— heap Past Ofhoe’s wvlesetavon confugentiol
i
Supphers
sentracts with DVLA, Home
Offine ar wleity comeminies
8.3
and pester
he sereiens:
aftice to:
‘and services ta customers
UW rondrasts » provide IT uniraistrictire which allows Rast Ofice’s foeckeoning
Contracts must be managed effectively at each stage of their lifecycle and across all
interdependent relationships with consideration of back to back protections as a contract cannot
not always be looked at in isolation.
2.2. Planning
Before Post Office enters into a relationship with a new Partner it needs to consider if that new
relationship is consistent with its strategic approach, needs and requirements. This analysis is
often carried out using a business case document or plan which is submitted to the appropriate
committees for approval. In putting together the business case, the relevant business area should
be addressing the following:
e Is the proposed relationship consistent and aligned with business strategy?
« What are the resourcing requirements under the contract?
« Is there existing budget to meet contractual commitments?
« What other criteria needs to be met i.e. IT, systems and processes, third parties/sub-
contractors?
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 131 of 212
Tab 8.3 Contract Management Framework & Appendices
132 of 212
Page 7 of 36
« Is it in the best interests of the company?
e Is the operational model consistent with the Post Office target operating model and
technologies?
* 0 Does a structured procurement process need to be followed in order to appoint the
Partner or to provide a supply chain to support the Partner?
It is important to note that only Post Office Limited is subject to Public Contract Regulations 2015
(PCR), whereas Post Office Management Services Limited (POMS / POI) and Payzone Bill
Payments Limited (PZBPL) are not. However, each of POI and PZBPL’s procurement and sourcing
policies will apply, and each group member should be following the best practice Standards and
Policies in Procurement established by the Chartered Institute of Procurement and Supply?.
Neither POI nor PZBPL can procure goods and services and on-supply them to Post Office Limited.
2.3. Onboarding and tenders
The procurement team assists with selection of the appropriate Suppliers to Post Office.
Supplier selection - is carried out during the procurement sourcing exercise and tender to
determine the capability and capacity to deliver the goods or services being procured. This also
includes due diligence to social value and social responsibility aspects.
Supplier due diligence — for data collection and compliance, checks are performed once the supplier
has been selected.
Supplier Code of Conduct - is included at selection and due diligence stages. It makes clear the
standards and expectations for an entity to be a supplier to Post Office.
Where Post Office is entering into a relationship with a Client, appropriate due diligence must be
carried out.
Partner Due Diligence:
e Partner screening - suitable, credible and have capacity to deliver.
* Monitor performance of the partner and ongoing financial screening (e.g. Dunn &
Bradstreet) particularly for IT suppliers and Insurers.
* Compliance with SLAs, KPIs etc.
* Pricing reviews.
In order to manage partners effectively, the Contract Manager should assign the partner to a
specific segment using the Segmentation Matrix and Segmentation Tool set out in the Partner
Management Guide (PMG).
Once the segment is assigned, the Contract Manager will be able to manage the partner via the
Web3’s Partner Management Module. This Module sets out various templates that the Contract
Manager can use to effectively manage the partner. For more detail on Web3, please refer to
section 2.5.
Public Contract Regulations 2015
Where Post Office Limited sources a supplier, it is highly likely that Post Office will have to follow
a structured procurement process under the Public Contract Regulations 2015.
* https://www.cips.org/knowledge/procurement-topics-and-skills/strateay-policy/procurement-policy-developmenta/standards-and-policies-in-
procurement/
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
8.3
UKG100044334
UKGI00044334
Tab 8.3 Contract Management Framework & Appendices
Page 8 of 36
Any such supplier agreement with cost of over £25k, must be tendered under the Public Contracts
Regulations 2015 with assistance of the Procurement Team. This is to ensure that public contracts
are awarded fairly, transparently and without discrimination on the grounds of nationality and
that all potential bidders are treated equally. The Procurement Director is responsible for
overseeing Post Office’s procurements and ensuring that Post Offices purchase of goods, services
and works is in accordance with law and provides value for money. POMS supplier contracts should
be procured in line with the supplier Procurement Policy which can be found on POMS Procurement
Sharepoint page or through contacting POMS’ procurement team. In each case the Contract
Owner should seek help from the Procurement Team to run such process.
Demand Management Model
Some supplier agreements will be dealt with purely by the Procurement Team without
involvement of the Legal Team. The Procurement Team will be able to assess if the agreement
needs to be presented to the Legal Team for review. Where possible, pro forma Post Office
contracts are used, This will aid simpler contracting, approvals and contract management
processes.
2.4, Contract Management Team - Roles & Responsibilities
Post Office has created various roles of accountability and responsibility so that there are clear
lines for supervision and management of contracts. 8.3
There are two essential roles for managing contracts effectively; each role drawing on a range of
skill sets. These roles may be assigned to current employees with the correct skills and delegation
of authority:
Contract « Person accountable for the budget/cost centre that funds contract and
Owner the performance of the contract.
(CO) * Employee with delegation to approve contract payments and variations
« Appoints the contract management roles.
« Recommended to be a senior employee who is impacted by the contract
outcomes and is accountable for overall adherence to contract obligations.
Contract « Day-to-management of contract lifecycle from tender to exit.
Manager « Single point of contact for suppliers and partners on all contract matters
(CM)
¢ Monitor contract performance and compliance.
« Recommended to be a representative within the business unit with the
relevant skills.
« Perform administrative activities over the contract management lifecycle
(e.g. information management, cost control, etc.).
2.4.1. Responsibilities of the Contract Owner
The Contract Owner has the ultimate accountability for contract and partner management.
Responsibilities include:
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 133 of 212
Tab 8.3 Contract Management Framework & Appendices
134 of 212
Page 9 of 36
Ensuring partner management activities are completed in accordance with the
Procurement Policy and other related polices;
Identification of a Contract Manager and, if required, a relationship manager;
For highly complex partner contracts, potentially identifying a team of Contract Managers
to effectively manage day to day and change activities; and
Ensuring that proper partner management is in place throughout the relationship.
The Contract Owner should consider the following when appointing the Contract Manager:
Does the contract need to be managed by someone with specialist skills and experience
i.e. resources should be tailored to the materiality, risks and opportunities provided by the
contract?
Does the individual have the required experience, knowledge and authority for the role
given the contract classification and risk profile?
Do they have enough time to carry out the role?
Can the person carry out multiple roles?
Are they willing to take accountability for the role?
Do they have any private interests or relationships that may give rise to claims of conflicts
of interest (perceived or actual)?
How the contract fits into the wider portfolio of contracts; and the staffing requirements
across material and strategically important contracts.
2.4.2. Responsibilities of the Contract Manager
Contract Managers (supported by the Contract Owner) play a critical role for Post Office. directly
overseeing contracts throughout their lifecycle. Serving as the liaison between companies,
employees, customers, vendors, and independent contractors means ontract Managers serve as
the main facilitators for negotiations, recommendations, record keeping, monitoring, change
management, and more.
Their responsi
ies include: Contract management objectives
. should be included into Personal
Providing a single overview/coordination point Development Plans for Contract
on behalf of their business entity including where Qwners and Contract Managers.
this requires facilitation of other functions Objectives will need to be clearly set
e.g. Legal, Business Continuity, Information I out and agreed with performance
Security, Procurement, Audit, Risk, Compliance I @gaist the objectives being
etc: managed through reviews and
ci I appraisals.
Scoping out commercial terms in contracts
including for example services schedules,
pricing, SLAs etc;
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
8.3
Tab 8.3 Contract Management Framework & Appendices
Page 10 of 36
Providing the Legal or Procurement Team with commercial and service terms that are
necessary to populate and complete a contract;
Aggregating a single view of the supplier in terms of commercials and service delivery;
UKG100044334
UKG100044334
Ensuring that the rights and obligations are complied with. Post execution, the Contract
Manager must complete the contract obligation sections so that rights and obligations can be
managed.
Regular reporting on the performance and compliance of the contract to the Contract
Owner; and
Where necessary, the swift escalation of any issues affecting Post Office to relevant
stakeholders.
In order for the Contract Manager to effectively carry out their responsibilities they must have:
Appropriate skills (both specific contract management skills and more general commercial
awareness and expertise) with access to the relevant training and development;
Accurate job descriptions, roles and remuneration are positioned at an appropriate level;
Clear objectives and reporting lines with their performance managed through reviews
and appraisals;
Appropriate delegated authority to manage the contract effectively;
Detailed knowledge of the contract(s) they manage and other related issues, such as
service level agreements, value adds and ongoing supplier performance;
Knowledge of the organisational governance, processes, risk structures and organisational
risk appetite; and
Annex 1 provides a detailed breakdown of responsibilities for the Contract Management Team.
2.4.3. Teams supporting the Contract Managers and Contract Owners
Finance Approver: A person who ensures any financial exposure under a contract is understood
and can be fulfilled by Post Office and approves such exposure, i.e. the relevant Finance Director
for the area in which the contract originates.
Procurement: A procurement category manager who supports the Contract Manager source the
right supplier, negotiate the best terms, assists with the management of contract changes,
market intelligence and management of suppliers.
The procurement team also:
Assist with maintaining and updating the Partner Management Guide based on best
practice principles including updates based on information received from business
functions regarding change in policy, procedure or regulatory requirements;
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
8.3
135 of 212
Tab 8.3 Contract Management Framework & Appendices
136 of 212
Page aa of 36
* Defines the appropriate application of the Partner Management guide to supplier partners
and the associated segmentation standards and terminology defined within the
Procurement Policy and related frameworks;
+ Provides, where possible, best practice tools and templates for use by Contract Managers;
* Provides guidance, advice and support to employees and Contract Managers in the
appropriate implementation of the Partner Management guide and execution of associated
activities; and
* Support in the selection of a new suppliers and ongoing management of all suppliers, in
line with the Procurement Policy. For Critical and Strategic/High Risk suppliers, providing
contract management support. For all other types of supplier, providing ad-hoc advisory
support.
Legal, Compliance and Governance: A person who provides expertise for areas where the
contractual, legal or regulatory exposure is greater.
This person will also:
« Own, maintain and update the Partner Management Guide based on best practice
principles including continual updates based on information received from business
functions regarding change in policy, procedure or regulatory requirements;
* Define the appropriate application of the guide to Supplier and the associated
segmentation standards and terminology defined within policies and related frameworks;
« Provides, where possible, best practice tools and templates for use by Contract Managers;
« Provide frameworks and guidance on appropriate controls (including templates, FAQs and
training) to Contract Owners and Contract Managers.
« Provide guidance, advice and support to employees and Contract Managers in appropriate
implementation of the guide and execution of associated activities; and
« Support the negotiation of these instruments as well as any disputes which may arise.
Other business areas: In many instances other teams will need to provide feedback to the
Contract Manager. For example, the Communication and Marketing teams will be able to assess
if Post Office is able to fulfil any marketing related obligations prior to execution. It is crucial to
identify and then cooperate with any teams that may be affected.
2.5. WEB3 - Digital Contract Management Tool
The WEB3 system is the current web-based eProcurement platform which Contract Managers
(with support from the Procurement and Legal Team) must use to manage their contracts. The
tool is managed by the Procurement Operations Team, therefore any access queries should be
directed to contractmanagemen: Benefits of using Web3 include:
«An integrated platform which captures the activities of a relationship with a Partner from
onboarding, due diligence, procurement activity, contract, relationship management and
transactional purchasing.
« Procurement and SRM modules which allow for interaction with Partners and the sharing
of documents and messages via a Portal.
« The facilitation of formal performance reviews and documented improvement plans
covering both operational issues and adherence to key contractual requirements, via the
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
8.3
Tab 8.3 Contract Management Framework & Appendices
Page 22 of 36
SRM Module. The management of Partners should be recorded via the Supplier
Relationship Management module (SRM) on Web3. This will create visible audit trials and
ensure a unified approach to partner management across Post Office.
e 360 degree visibility of Partner activity, enabling better decision making, the leveraging of
spend and reduction of risk.
« Standardised Post Office templates and processes which enable MI & Analytics to be
produced that are measurable and comparable.
* Supplier partners are able to manage their account information themselves, reducing the
risk of fraud. Partners can access their information at all times and have an audit trail of
all activity.
e Prompts, notifications and trigger emails alert Post Office employees and Partners to
activities that need to be done with an audit trail created of every action performed in the
system.
2.6. Assessment and Acceptance of Risk
Risk Appetite: Post Office has specified its risk appetite in respect of contractual and operational
risks in existing and new relationships. Therefore, all employees at Post Office must act within
those defined levels in order to avoid unauthorised exposure.
In respect of legal and regulatory risk appetite, Post Office has set risk appetite which is revised
by the Post Office’s Board every year. The Risk Appetite Statement can be found on the Post
Office intranet - the Hub.
*Note: Litigation may result when the rights and obligations under the contract have not been
managed compliantly.
Legal Risk Notes: When dealing with contracts every
stakeholder should bear in mind the acceptable levels
of risk, to ensure that any risks accepted are not
greater than they should be. One of the tools that the
Legal Team will equip the Contract Manager and
Contract Owner with is a Legal Risk Note which sets out
the contractual risks and the mitigants. Contract
Managers should ensure that the mitigants are
regularly reviewed to ensure they are effective in the
management of the risks and remain
enforced/effective during the life of the contract.
Exceptions: Post Office acknowledges however that in certain scenarios even after extensive
controls have been implemented, a product or transaction may still sit outside the agreed risk
Legal Risk Notes must NOT be
distributed to the wider audience as
these documents set out the risks Post
Office is taking when entering into the
agreement. Legal Risk Notes are also
privileged and by NOT distributing
them to wider audience, privilege can be
kept, ie.
Post Office will not need to disclose
_ them in disputes.
appetite. Therefore, if Post Office is going outside of the accepted approval processes, an
exception report (using the Risk Exception template) needs to be prepared and approved. For
more information on this process engage with the Risk Team.
2.7. Contract Approval
In order for a contract to be approved:
¢ if the contract has been reviewed under the Demand Management Model: a commercial
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKGI00044334
UKGI00044334
8.3
137 of 212
Tab 8.3 Contract Management Framework & Appendices
138 of 212
Page 23 of 36
and legal summary prepared by the Procurement Team AND an approval from the
Procurement Team and other key stakeholders under the Demand Management Model?;
OR
« if the contract has been reviewed by the Legal Team: the finalised and agreed contract
AND a risk note prepared by the Legal Team, which needs to be provided to the Contract
Manager and Contract Owner; AND
UKG100044334
UKG100044334
«for all relevant contracts, initiated the Contract Approval Process via the eCAF App or a paper
CAF manually and; a contract record created on Web3
2.7.1. Authority to Sign
The Contract Approval process is to ensure the appropriate governance is followed and the
business does not enter into contracts that are outside of the Business Risk Appetite or are
commercially unsound. It also ensures that only colleagues with the appropriate level of
authority delegated to them by the respective Board or Chief Executive Officer/Managing
Director are agreeing to enter into Contracts that will ultimately legally bind the business.
The Contract Manager is responsible for this process and it can be completed in the following
ways:
o For Post Office Limited and POMS/POI: by submitting an online Contract Approval Form via
the eCAF App (Sharepoint - Team sites —- Legal, Compliance and Governance - Company
Secretariat Team)
o For Payzone: by completing a Contract Approval Form and obtaining the relevant sign offs
For further information of the Approval process please visit the Company Secretariat intranet
page.
Contract Owner Within a company, the Board of Directors carries the ultimate responsibility for
the decisions made within its business. However, for practical reasons, the Board cannot make
every single day-to-day decision within a business itself. Therefore, each Company Board has
delegated its authority to its Chief Executive or Managing Director to enable the day-to-day
decision making process. The necessary Contract Owner for a contract is determined by Post
Office’s spend approval limits document, which may be found on the Decision Making page of the
Intranet.
2In some circumstances the Procurement Team will refer the contract to the Legal Team for further review.
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
8.3
Tab 8.3 Contract Management Framework & Appendices
No person is authorised to sign any
contract on behalf of Post Office
unless the contract has gone
through the Contract Approval
Process* and such individual is an
authorised signatory. Post Office
and its employees need to act
within their respective authority.
*Save for certain limited exceptions
under the Contract Execution
Policy.
Page 14 of 36
Contract Signatory. Although the Contract Approval
Form must be approved by a Contract Owner, the
contract can only be signed by someone who is an
authorised signatory for the business, which is a
different list of people from those with spend approval
authority as Contract Owners. The Company
Secretariat will arrange for an authorised signatory to
sign the contract in accordance with the Contract
Execution Policy. It is also important to ensure that the
Contract Owner for the Contract Approval Form does
not also sign the contract as this is a potential conflict
of interest.
For more information on how a Contract Approval Process or spend approval limits please see
Execution of Contracts Flowchart and Tools section.
2.8.
‘Obiain required
information about
procuceme
felevart stakenclde
contract. The ca
sores a dratt
should
b3. IF not,
3 contract
Tevel details.
Contract Execution by
CoSec
ec vil then execute the
Execution of Contracts Flowchart
Complete the Contract
€ Submit Contract Approval
ai Form
rm to Approvers
For Past Office Limited and Post
on
Document fem.
Submit Web3 Contract
Record for Approval
‘Once CoSe: has approved the
F, the Contract 9 3
ering days to 24
‘Contract Record for approval. IF
‘and raject the CAF.
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
8.3
139 of 212
UKG100044334
UKG100044334
Tab 8.3 Contract Management Framework & Appendices
Page a5 of 36
2.9. Storage of Contracts
All contracts will be stored on the Web3 system and
hard copies‘ will be kept and managed by Company Web3 is the one source of truth
Secretariat meaning that all contracts will be stored
and logged on one central place. Access to Web3 will should be stored on Webs and nocther
be restricted at the appropriate levels to protect copies of contracts should be used.
commercial and legal sensitivities. CoSec team will _ Web3 is the one source or truth and
The final signed versions of contracts
keep some historic electronic copies which have not _ repository across Post Office group.
been uploaded to Web3. F : :
Web3 will also ensure that key information is recorded to provide search capability, ongoing
contract management information and ensure documentation is retained and managed. All
supporting contract information is to be stored alongside each contract to ensure all relevant
information can be accessed in one place.
Contract Retrieval
All queries regarding hard copy contract retrieval and electronic copies of contracts which are not
stored on Web3 are to be directed to caf
3. CONTRACT MANAGEMENT IN DETAIL
8.3
Post Office adopted a decentralised model of contract management whereby the relevant business
units are responsible for the management and performance of the contracts with support from
others such as Procurement and Legal. Contract Owners should ensure that a Contract
Management Team is created identifying the Contract Manager, relevant financial director,
relevant lawyer, procurement representative and other key stakeholders.
Contract Management Team
Developed rarly, specific to the contract, regulary reviewed and may differ foreach contract stage
a a ao
* Confirm the roles of * Ensure that those involved « Maintain clear
commercial function and in contracting have adequate documentation
other experts at each stage skills, knowledge and proven « Manage handovers from
@ Produce clear competency for their roles procurement to operations
documentation outlining * Make sure that people and between commercial
roles and responshilites understand their role and and operations
have sufficient training and
support
This should be proportional to the value, risk and complexity of the contract.. In general the
level of risk ina
‘All contracts should be executed electronically unless there is a particular reason why they cannot be (such as the counterparty refuses or itis a
deed),
140 of 212 Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
Tab 8.3 Contract Management Framework & Appendices
Page 26 of 36
contract increases the benefits of reducing such risk through a formal contract. This section of
the Framework sets out best practice to ensure that Contract Managers take a holistic view of
their contracts.
3.1.
Contractual Terms
The Contract Manager has to ensure that provisions of the contract are suitable for the proposed
relationship and mitigate and protect Post Office’s position as much as possible. Amongst other
considerations, the Contract Manager should ensure:
3.2.
Contractual terms around termination, warranties and indemnities are understood and
monitored;
Security and confidentiality terms are understood and monitored by the Contract Manager,
particularly where there are elements of the contract relating to confidentiality of personal
data; and
Dispute resolution processes are in place, including agreed adjudication procedures,
mediation and arbitration.
Any contractual changes during the lifetime of the contract go through appropriate Post
Office governance.
Contract management processes from the initial contract signing, are reviewed annually
and continue to be fit for purpose over the lifetime of the contract.
Risk Management
This Framework supports the management of contractual risk. Controls and processes assisting
the management of risk include:
3.3.
Contracts should be in place with clear responsibilities and processes for mitigation, this
must include identification or who is best placed to manage that risk and supplier
involvement where necessary.
Where appropriate LCG will have provided risk notes that will formally identify risks and
the Contract Manager should ensure these are monitored regularly and mitigating factors
are developed and implemented where necessary.
Contingency and exit plans must be developed for material contracts in order to handle
Partner failure and are to be kept updated through the contract lifestyle.
Developing Internal and External Relationships
Responsibilities of the Contract Manager and the Parter should be clearly stated and all
contracts should be in writing.
The Contract Owner must ensure continuity of key Post Office’s staff as far as possible
throughout the lifecycle of the contract. Where this is not possible, the Contract Owner
should ensure effective and appropriate handovers are given via the Contract Management
Handover Template, which is available on the Contract Management Intranet page,
accessible via the Hub.
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
8.3
141 of 212
Tab 8.3 Contract Management Framework & Appendices
142 of 212
3.4,
3.5.
Page 27 of 36
¢ Both regular formal and informal communication routes between the Contract Manager
and supplier should be open and used. The internal Contract Management Team should
use collaboration tools such as Teams to ensure communications between themselves and
other business stakeholders are effective and the stakeholders have sufficient oversight
over the process.
« Management of contract performance should be well structured, ensuring baselines of
performance are understood by both parties. A Contract Manager must ensure that the
customer organisation provides the supplier with the information and contacts needed to
deliver the service.
« The Web3 system will allow for clear contact points for service users both within the
supplier’s company and the Contract Management Team. End users of the contract should
understand escalation routes where there are disputes. Regular and routine feedback
should be given to suppliers on their performance.
Payment and budgets
« Using Post Office contract templates will ensure that payment processes are well defined
and efficient. The Finance Team ensure that appropriate checks and authorisation
processes are in place for paying invoices.
« Ensuring the contract has gone through the Contract Approval process with finance sign
off obtained will ensure that the costs of services delivered are mapped against budgets
and allocated appropriately
« Contract Managers will ensure that where service credits are inserted into a contract, these
are well managed and governed appropriately.
Contract Review
* The Contract Manager must regularly review the contract to ensure it meets evolving
business needs, and update where necessary using the appropriate change process.
« The 4 main areas of measurement and focus during reviews should be:
= Cost control;
. Timeline control;
* Compliance with specifications/quality assurance/service levels; and
= Compliance with terms and conditions.
* Where appropriate the Contract Manager should consider undergoing benchmarking
exercises to ensure value for money of existing services. These must be procured
compliantly via the Procurement team.
« Where new services are being introduced over the contract lifecycle, the Contract Manager
should consult Procurement to see if they can be compliantly added to the scope of services
or if a new sourcing exercise is required. Where the change is material, Procurement will
work with the Contract Manager to negotiate the commercial and legal changes required,
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
8.3
Tab 8.3 Contract Management Framework & Appendices
3.6.
3.7.
3.8.
Page 28 of 36
and ensure that there are processes to cover the introduction of new services and change
obligations are adhered to.
Managing wider Market Issues
Teams should ensure that processes are in place to review options surrounding outsourcing
or delivering services in-house. Emerging technologies and practices should be considered
and teams should be open to new opportunities.
Contract debriefs should take place where appropriate after the conclusion of a contract
which the Contract Manager should feedback into future strategy development and new
procurement processes.
Handling Contract Changes
Processes must be in place that dictate the governance of contractual change i.e. who the
necessary approvers are, how it must be completed to ensure contract change is
completed promptly and effectively.
Minor contract changes and variations must be dealt with in a cost and effort proportionate
way to the importance and value of the proposed change, seeking procurement advice to
ensure compliance.
Detailed processes must be in place to handle material contract changes, including clear
approval mechanisms and accountabilities. Material changes to terms and conditions of a
contract are likely to trigger the need for a repeat of the Procurement activities and
tendering, Contract Approval Process. Contract Managers must always reach out to the
Company Secretariat when contemplating a contract change.
Both parties must have a clear understanding of the arrangements for any extension of
the contract and related issues.
Any contractual change must be carried out in accordance with the contractual terms set
out within the original contract, and departure from the terms setting out the change
process risks the validity of the amendment being made or gives rise to a potential loss of
rights or remedies available.
Material contracts should be conformed annually within 30 days of the anniversary date.
Managing Complaints and Disputes
Proactive and planned Contract Management can reduce the likelihood of disputes occurring.
Formal dispute resolution should be the last resort and appropriate actions should be taken by
the Contract Manager and Contract Owner to address issues as they arise.
The Contract Manager should always follow Post Offices internal procedures and the contractual
terms for managing complaints and disputes with suppliers and partners.
3.9.
Escalating and Reporting Issues
Contract Managers should report and escalate issues or risks identified through the course of
Contract or Partner Relationship Management activities as required by the Post Office Risk
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
8.3
143 of 212
Tab 8.3 Contract Management Framework & Appendices
144 of 212
Page 29 of 36
Management Framework and any related policies. Contract Owners are ultimately responsible and
accountable for ensuring compliance with required Risk and policy reporting requirements.
3.10. Contract Close-Out
A contract can be closed out in a number of ways:
* When all obligations under the contract have been fulfilled;
« The contract expires or is terminated;
« The intention to complete an agreement has been frustrated by events beyond all parties
control; and/or
« All parties agree to end the contract.
The majority of contracts will close when they have been fulfilled or expire.
The Contract Manager must establish a clear ‘exit strategy’ at the outset of contract creation,
allowing Post Office to proatively manage contract exits and avoid disputes. An exit strategy
should establish:
« When, and under what circumstances, a contract can be terminated;
* What should happen to any remaining stock or supplies following termination;
« Whether any obligations should continue to apply after termination, such as obligations to
return or to pass data to a new supplier, or to cooperate with other practical arrangements
required to ensure business continuity; and
« How the costs of transition and exit are to be managed and allocated.
« Whether Post Office retains any assets, IPR, hardware or software licensing which must
be transitioned to a new provider.
« Aclear position on both parties TUPE obligations should be set out from the outset.
3.11. Managing Re-Procurement
Before a contract is completed or expires, the Contract Manager will need to assess whether there
is an ongoing need for the goods/services delivered under the existing contract. This assessment
should take place well in advance of (not later than 6 months) the scheduled completion of the
contract, because if the need is ongoing, a procurement activity will be required to execute a new
contract. This requirement is just as applicable when considering whether to extend the contract.
Further, for extensions / variations, these should be added to the existing Web3 record and will
require a new CAF.
The Contract Manager should consult with Procurement to set a predefined point at which to
commence a new procurement activity. This date should be based on the estimated time that a
procurement activity will take to execute a new contract plus any period for transition. This should
take place no later than 12 months prior to the exit or termination of the contract.
Where a Contract Manager deals with a Client contract, it is also crucial to ensure that Post Office
is aware of its exit obligations and manages the exit appropriately. Post Office must also ensure
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
8.3
UKG100044334
UKG100044334
Tab 8.3 Contract Management Framework & Appendices
Page 20 of 36
that it is prepared to enter into new negotiations for provision of the services to the Client. Good
planning is crucial in for winning business and contracts.
3.12.
Final Performance Review
The objective of this activity is to evaluate supplier performance and provide feedback that can
be used as a reference for future work.
Prior to the close out of the contract, the Contract Manager should conduct a final performance
review. The depth and the details of the review process will vary depending on the contract. The
following should be taken into consideration as part of the review:
Whether the contract achieved its objectives;
The Partner’s performance;
Satisfaction of the users;
Contract variations;
Any disputes;
Key Performance Indicators and Service Levels;
Budget vs Actual spend;
Weaknesses in planning, managing and procedures; and 8.3
Audit reports.
The benefit of having transparent KPIs will drive desired outcomes such as minimal time to
signature, minimal avoidable business risk, best possible value for contract agreements and
contract renewals, adherence to contract management processes and optimisation of contract
management processes and maximizing compliance. Therefore, performance targets (SLAs, KPIs)
should be regularly reviewed to ensure the KPIs remain relevant and meaningful.
3.13.
Managing Transition
There may be a need for the goods/services to continue but with a different supplier. The
transition period from one contract to another can be a high risk period. It is the Contract
Manager's responsibility to develop a transition plan. The following aspects should be considered
when developing the transition plan:
Identifying any specific differences between the current and future contract;
Developing a new communications plan, identifying stakeholders, both internally and
externally, who may be impacted by the changes;
Updating internal processes or procedures with any changes required under the new
contract; and
Depending on the size and complexity of the contract, the transition period may take 12
- 18 months. This will consume a significant amount of time and resources (including significant
financial costs) and require ongoing management by the Contract Manager.
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 145 of 212
4.
Tab 8.3 Contract Management Framework & Appendices
TOOLS FOR CONTRACT MANAGERS
UKGI00044334
UKG100044334
Page 21 of 36
These section contains links to various to other resources available to Contract Managers.
Tool
Contact in case you need access
Owned or managed by
WEB3
Available through the Hub if a licence is
assigned
Access Form and user guides can be found
on the Source to Settle Hub Page.
https://poluk.sharepoint.com/sites/POA
(00 1/procurement/SitePages/Web3.asp
and CMF Intranet page:
https: //poluk.sharepoint.com/sites/Icq/SiteP
jages/Contract-Management-
Framework.aspx
Procurement Operations
Team
Assistance on Web3
functionalities via the
Contract Management
Team
The LCG Academy
https://poluk.sharepoint.com/sites/Icq,
SitePages/Legal,-Compliance-%26-
Governance.aspx
The Legal, Compliance
and Governance Team
Post Office Policies
https://poluk.sharepoint.com/sites/postoff
ice/Pages/policies.aspx
The relevant policy owner
Post Office Group
Spend Approval Limits
Reporting dishonest or
fraudulent activity
https://poluk.sharepoint.com/sites/Icq
/SitePages/Contract-Approval-
Process.aspx?CT=1613478394298&0RI
WA-NT&CID=78b0bfb8-ec96-2f99-
@799-257054d35674
Discuss the matter fully with their Line
Manager.
2phoning
i
jor via a secure on-line web pi
‘www.intouchfeedback.com/postoffic
Company Secretariat
Team
The Legal, Compliance
and Governance Team
Procurement team
https://poluk.sharepoint.comn/sites/POAQO1/pr
ocurement/SitePages/Home.aspx
Procurement Director
Demand Management
Model
https://poluk.sharepoint.com/sites/Icq/SitePages/Dem
and-Model-Management.aspx
Procurement Director and
The Legal team.
Partner Segmentation
Matrix and
Segmentation Tool
Contract Management Framework
Legal Academy
General Counsel
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
8.3
UKG100044334
UKG100044334
Tab 8.3 Contract Management Framework & Appendices
Page 22 of 36
5. THE FRAMEWORK CONTROLS AND GOVERNANCE
5.1. Responsibility
The Framework sponsor responsible for overseeing this guide is the Group General Counsel of Post
Office Limited.
The Framework owner is the Group Legal Director who is responsible for ensuring that the Legal
Team conducts an annual review of this guide and tests compliance across the Group. Additionally,
the Group Legal Director and the Legal Team are responsible for providing appropriate and timely
reporting to the Risk and Compliance Committee and the Audit and Risk Committee.
The Audit and Risk Committee are responsible for approving the Framework and overseeing
compliance.
The Post Office Board is responsible for setting the Group’s risk appetite.
If you need further information about this Framework or wish to report an issue in relation to this
policy, please contact the Legal Team.
Committee I Date Approved
POL R&CC
POMS R&CC
POL ARC
POMS ARC 8.3
Payzone Board
5.2. Framework Approval
Framework Sponsor: Group General Counsel
Framework Owner: Group Legal Director
Framework Author: Senior Legal Counsel & Paralegal
Next review: September 2022
Group Oversight Committee: — Risk and Compliance Committee and Audit and Risk Committee
Company Details
Post Office Limited and Post Office Management Services Limited are registered in England and
Wales. Registered numbers 2154540 and 08459718 respectively. Registered Office: Finsbury
Dials, 20 Finsbury Street, London EC2Y 9AQ.
Post Office Limited is authorised and regulated by Her Majesty’s Revenue and Customs (HMRC),
REF 12137104. Its Information Commissioners Office registration number is 24866081.
Post Office Management Services Limited is authorised and regulated by the Financial Conduct
Authority (FCA), FRN 630318. Its Information Commissioners Office registration number is
ZA090585.
Payzone Bill Payment Limited is registered in England and Wales. Registered numbers 11310918.
Registered Office: Finsbury Dials, 20 Finsbury Street, London EC2Y 9AQ.
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 147 of 212
zizs0 eb
Lz160/82-eemtuMog eouerduod = ¥SIY ‘PNY - PANN eWO 04
Annex 1 - Control Standards
‘A minimum control standard is an activity which must be in place in order to manage exposure so that it remains within the defined
acceptable levels and Risk Appetite Statements. There must be mechanisms in place within each business unit to demonstrate compliance.
The minimum control standards can cover a range of control types,
The table below sets out the relationships between identified risk and the req
risk appetite:
.e. directive, detective, corrective and preventive.
UKGI00044334
UKG100044334
Page 24 of 36
ed minimum control standards in consideration of the stated
‘seoipueddy 9 womawers weWeBeUeW OeMUOD ¢'g GEL
‘Applicable Description of Risk flumI ControlIstandards is) I When
Area
Contract I Not procuring contracts in I All non-compliant contracts must be reported as a risk up tothe I Procurement I Always
Award accordance with Public I Procurement Director, who in turn reports up to the RCC. Director
Contract Regulations means
contracts are being awarded I Engagement with Procurement from an early stage when procuring I Contract Always
non-compliantly by Post Office I goods and services Managers
Limited. Demand Management Module Procurement I Used when appropriate,
updated by Legal when.
necessary
‘Ongoing training to the Procurement team and wider business When required
Contract I The company has entered intoa I Only the Company Secretariat can distribute contractual documents ‘Always
Execution - I legally binding contract or I for signature (including via e-signature software). Secretariat
Unauthoris I obligation without internal Ie Process: All contract signatures must be facilitated by the
ed approvals and independent I Secretariat. and supported by a relevant internal authority
signatories I oversight. evidenced in a contract approval form "eCAF" unless a written
signing exception has been agreed by the Company Secretary (e.9.
contractual Employment Contracts facilitated by HR or Franchise Agreements
documents, facilitated by the Retail).
+ including ‘+ Assurance: The submission of an eCAF in accordance with the
electronical contract approval process will satisfy the delegated authorities
y approved by the Board and maintained by the Company
Secretary.
‘+ Oversight: Only authorised signatories who are not also
signatories to the relevant eCAF (to prevent a conflict of interest)
will be requested to sign contracts unless a written exception has I All
been agreed by the Company Secretary. Employees
'* The list of authorised signatories is maintained by the Company
Secretary following Board approval.
Lz160/82-eemtuMog eouerduod = ¥SIY ‘PNY - PANN eWO 04
Z1z10 6bL
UKGI00044334
UKG100044334
Page 25 of 36
Training: Guidance on the company intranet page(s) is updated
regularly to provide the business with accurate information on the
contract approval and execution processes, including the authorised
signatories.
‘Awareness: Twice yearly communications will be sent to all
colleagues to remind them about governance processes and
procedures, including authorised signatories.
‘Company
Secretariat
Bi-annual comms plan
Contract
Manageme
nt
A lack of understanding of how
to manage contracts efficiently,
knowledge of /—_contractual
obligations on each party,
impact to other areas within the
business and basic contract law
gives rise to risk of not meeting
contractual obligations, being
unable to pursue action in event
of breach or last minute
resource drain when contracts
are suddenly about to expire or
need to be renewed.
Contract obligation mapping on Web3 will allow mapping of key
deliverables or actions that each party needs to undertake to comply
with the contract
Central repository of contracts to ensure contracts and appropriate
Contract
Managers
Legal/Contra
Always:
‘Always
additional information is accessible ct Managers,
Legal training to the business to improve their understanding of the I Legal When required
contractual obligations and impacts of contracts on other areas
within the business
Developed house positions with playbooks that set out a range of I Legal To be used when
acceptable negotiated positions for the following contract types:
supplier contracts, bill payment contracts, agency network contracts
and employment contracts
appropriate, reviewed
by Legal on an ad hoc
basis
‘seoipueddy 9 womawers weWeBeUeW OeMUOD ¢'g GEL
Tab 8.3 Contract Management Framework & Appendices
150 of 212
Page 26 of 36
Annex 2 - Partner Management Guide
This Guide covers the following:
Overview
Introduction to Partner Relationship Management
Partner Segmentation - first step in identifying in-scope partners
Partner Segregation Matrix
Required Partner Management Activities
APPENDIX 1: Detailed Supplier Management requirements and guidance
PuUPUNe
1. Overview
Partner management encompasses all activities from inception of the requirement to
engage a partner through to the end of the relationship. Partner Relationship
Management (PRM) is the activity within partner management which allows the day-to-
day management of partner relationships once the partner is on board and providing or
receiving services. This guide focuses specifically on Partner Relationship Management,
but also provides an overview of the wider requirements of PM. It summarises Post
Office’s approach to managing third party relationships and their subcontractors with
effort prioritised on partners deemed Strategic/High Risk or Critical during partner
segmentation.
1.1. Partner segmentation.
The Strategic/High Risk segmentation may also include partners who:
° Provide material services to the group;
° Co-ordinate and deliver services across them;
° Receive material services from Post Office; or
° Co-operate with Post Office when providing services to others.
These partners, in particular, require a number of mandatory partner management, and
PRM activities to either allow Post Office to fulfil its obligations to its upstream
clients, or to ensure that Post Office is realising maximum profit. Such acti' Ss
also allow Post Office to comply with applicable legal and regulatory
requirements.
In most cases, for Strategic/High Risk and Critical partners, unless another relationship
manager has been appointed, the Contract Manager will be responsible for day-to-day
management of the relationship and for completing the activities required under this
Guide. They must be identified by an overall accountable business owner - the Contract
Owner - of the services being delivered who retains the responsibility for ensuring
appropriate ongoing partner management is in place.
1.2. Due diligence.
This guide outlines the mandatory and recommended activities that a Contract Manager
should complete in line with related policies and the group’s current view of best practice
and depending upon Partner Segmentation. For PRM, these recommended activities
include:
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
8.3
UKG100044334
UKG100044334
Tab 8.3 Contract Management Framework & Appendices
Page 27 of 36
Completion of annual due diligence on the Partner.
Monitoring of Partner performance to agreed SLA’s, KPI’s and contractual
obligations.
Management of agreed risks, issues, escalations and change control procedures.
Conducting annual strategic reviews plus other service development, innovation
and performance review meetings.
Completing annual audits, reviewingall obligations (including exit) and regular
security penetration and disaster recovery testing.
For suppliers - submission of a Monthly/Quarterly etc (as set out within the
contract) SRM Dashboard to Contract Managers for upload into Web3.
Adherence to a contractually agreed Partner Management Governance Model.
A list of Strategic/High Risk and Critical partners has been approved by the GE members.
2. Partner Relationship Management (PRM)
2.1. Why do we need to do partner
management?
Post Office is dependent on a number of Partners to help us deliver market facing
services, revenue generating products or critical activities across our business. This 8.3
may be through direct outsourcing of services to them or via their provision of
goods/service to us which enables us to continue our critical business activities.
Post Office needs to be aware and manage their obligations, service levels and other
requirements so that it does not find itself in breach of contracts.
Post office is required by regulatory bodies and government authorities to carefully
manage those dependencies, thereby ensuring our critical business operations are
not impacted by loss or interruption of supply.
Good business sense dictates that Post Office should apply a similar level of rigour
to our higher risk or strategic third party relationships, even if we are not obliged
to by an external body.
To obtain value for money from its partners and its contracts, and that those
contracts are continually aligned with strategic requirements.
Protection of Post Office reputation.
Formal partner management is not required for all partners, however this guide aims to
clarify those requirements and the basis on which they will apply.
2.2. What PRM includes?
At the highest possible level, good practice and regulatory guidance considers adequate
partner management should include the following activities:
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 151 of 212
Tab 8.3 Contract Management Framework & Appendices
152 of 212
Page 28 of 36
« Rigorous and compliant partner selection and contracting, including due diligence
on the potential partner;
» Inthe case of suppliers, appropriate approval via the Procurement Sourcing Councils
to proceed with engagement of the supplier from suitably authorised and
accountable individuals within the organisation;
« Aclear plan implemented from the activities that will be in place to manage the
relationship and POL’s and the partner’s performance;
« An agreed set of controls and procedures to mitigate, manage and respond to
emerging risks;
« Clear roles and responsibilities defined for the performance of these activities and
ultimate accountable executives who can assure that these activities take place;
« Regular (in most cases annual) reviews of the partner to ensure it remains a going
concern and to manage risk to the group;
« Sufficient exit management procedures at the end of the relationship to protect the
group's interests and minimise the risk of disruption to business operations.
PRM is an integral part of overall contract management. It is concerned with the day to
day activities to manage and drive value from the relationship with the supplier once it
has contractually commenced.
This guide sets out the best practice Partner Relationship Management which enables the
group to obtain optimal value from the partnerships, leading to the following benefits:
« Compliance with contractual commitments;
« Service levels and quality of service expectations are met throughout the life of the
relationship;
* The delivery of optimal value from the relationship in financial and non-financial terms;
* The creation of successful relationships, shared objectives and facilitation of innovation;
« Gaining a holistic view of Partner experience, enabling delivery of key information
to a range of stakeholders, and allowing measurement on a balanced set of metrics;
2.3. When does partner management need to happen?
It is important to understand that partner management needs to happen at all stages of
a relationship:
Before selection: Developing and agreeing a suitable business case and justification for
using a third party versus in-house, justification for bringing a new service/product to
Post office, assessing the risks and benefits of all scenarios. In some circumstances,
regulatory or Partner approval may also be required.
During Partner selection: Treat potential Partners equally and without discrimination,
acting in a transparent and proportionate manner and compliantly in line with Public
Procurement legislation. Assess the potential Partner(s) ability to deliver or receive the
goods and services required, through proper due diligence and a rigorous selection
process.
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
8.3
UKG100044334
UKG100044334
Tab 8.3 Contract Management Framework & Appendices
Page 29 of 36
During contracting: Agreeing appropriate contractual protections, SLA’s/KPI’s. Planning
for implementation and transition including the identification of a Contract Owner and
Contract Manager.
During implementation: Agreeing and documenting the roles, governance and
necessary partner management activities that will be required from Day 1 of the service.
Through the lifecycle of the contract in the form of Partner Relationship
Management: Using Web3 and other tools provided across the business, conduct
partner reviews, monitor performance and annual due diligence where required.
At the end of the contract: Managing the transition of the service back in house or to
an alternative provider, or transition back to the Partner, ensuring risk to operations or
business is mitigated throughout the transition period. Ensuring the group assets held by
the Partner are adequately managed or disposed of as appropriate.
3. Partner Segmentation
3.1. What is partner segmentation and when should it happen?
Partner segmentation is the generic term for completing a risk assessment of a Partner,
using a range of pre-defined criteria and risk factors, ultimately determining if a Partner
is a Low, Medium, or Strategic / High Risk. Segmentation determines if the Partner is
also a Critical Partner. The identification of Strategic/High Risk and Critical Partners
through segmentation is essential in determining the correct levels of due diligence and 8.3
oversight. .
Segmentation should be completed at the earliest possible point when a potential spend
requirement has been identified and at a minimum prior to on-boarding and contracting
with a Partner. The procurement team will assist with considering of multiple suppliers
during the selection process. Engagement with clients is normally driven by the type of
product or service that Post Ofice can provide to the clients.
3.2. How to segment partners?
The Partner Segmentation Matrix and Segmentation Tool should be used to correctly
segment Partners based on latest risk criteria.
The Segmentation Matrix consolidates various criteria agreed between cross-functional
working group and Post Office group companies, and provides an efficient way to complete
and document the segmentation.
The Segmentation Tool will assist the Contract Manager with assigning the correct
segment to each Partner.
Note: Please note that IT Suppliers are crucial to Post Office and a separate segmentation
process has been designed for them, please refer to Appendix 2.
3.3. Description of segments
I. PLATINUM PARTNER
These Partners typically have agreements in place which are high value,
and/ or long term across multiple products and services. Often involvinga
high degree of integration, and with access to considerable levels of
sensitive data.
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 153 of 212
Tab 8.3 Contract Management Framework & Appendices
Page 30 of 36
These suppliers are considered to be Critical to Post Office. See Segregation Matrix Table
1for the relevant criteria.
Partners categorised as ‘Gold’ will have contracts in place with a high value
across a 5yr term or longer. Whilst there’s a lower degree of integration
(compared to a Platinum Supplier) they will still have access to
considerable levels of sensitive data.
These suppliers are considered to be Material and Strategic to Post Office. See
Segregation Matrix Table 2 for the relevant criteria.
to sensitive data.
These suppliers are considered to be important to Post Office but do not pose an
immediate risk to Post Office’s’ ability to provide products/ services. See Segregation
Matrix Table 3 for the relevant criteria.
IV. BRONZE PARTNER
Considered to be more transactional products/ Services with lower value
short term agreements (less than 3yrs). There should be no systems
integration, or access to sensitive data.
Silver Partners have lower value contracts in place across a contract term
that is less than 5yrs. Partners are mainly connected to a single products/
service but may include a low level of integration, along with limited access
UKG100044334
UKG100044334
8.3
These Partners should not pose any genuine risk to Post Office’s ability to provide products/
services. See Segmentation Matrix Table 4 for the relevant criteria.
3.4. Partner Segmentation Matrix - If any of the criteria are true, the classification
applies.
Table 1 PLATINUM
\RTNER
Criteria
Applica!
Business Continuity
* Supports critical infrastructure or business operations
* Supports the critical activities of the Post Office through the provision of
services of information
«Provides critical infrastructure tothe business
« Providing the Client, or allowing POL to distribute services that are of
economic importance, are aimed at vulnerable members of the society or
I___are regulated ee ee _
« Partner will have physical or logical access to Post Office systems or Data
(excludes intragroup entities, suppliers providing hardware or software only
* Supports the recovery of the business in the event of a crisis
Data Security
154 of 212 Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
Supplier
Supplier
Supplier
Partner
Partner
Supplier
Tab 8.3 Contract Management Framework & Appendices
Partner will have physical or logical access to Post Office systems or Data
(excludes intragroup entities, suppliers providing hardware or software
_only) -
Manufacture, support and/or administer multiple products ‘across ‘multiple
_lines of business _
Comprise a formal outsourcing arrangement for the business itself as well
as products for resale
Page 31 of 36
Partner will have physical or logical access to Post Office Customer Data. Partner
Post Office will process significant amount of the Partner’s personal data. Supplier
Cyber / Information Security Risk Partner
Partner.
Partner
Itis highly likely that Platinum partner will fulfil some criteria assigned to Gold Partners.
UKG100044334
UKG100044334
Table 2 GOLD PA
Criteria Applicabi
* Provides outsourcing of business functions and people including regulated Supplier
_activities - - - 7 7 . _ .
* POL is providing services of economic importance such as Post Office Card Partner
Account, Biometrics.
* POLis distributing regulated products I Partner
« Core services to POL such as mails products. Partner
+ Total value or profit of the expected contract >£1m per annum (excl. I Partner 8.3
VAT) OR spend is >25% if .
__business unit’s cost base oo - - . . \ .
« Expected term of contract of 5 years or more Partner
« Potential for adverse reputational / brand impact - Major impact to brand I Partner
value/market share, adverse publicity, legislation or regulator breach
leading to fines, loss of revenue >£1m
« Revenue generation and creation of Intellectual Property (IP) - Partner
Direct contribution to creation of IP / market facing products or services or
_integral to ongoing generation of revenue. _ _ _ _ _ I .
« Ability of POL to influence the selection of supplier or quality of I Supplier
goods/services received - Use of the supplier has been mandated* by
partner, customer and there is no ability to influence - Monopoly market
provider. [*Note this would be a breach of the law under PCR Regulations
but could potentially apply elsewhere within the POL Group. ]
* Ease of implementation - Complex implementation effort requiring >6 Partner
months to complete and involvement of multiple business units.
* Ease of implementation - Complex implementation effort requiring >6 Partner
months to complete and involvement of multiple business units.
* Ability to switch suppliers once implemented - >6 months to transition I Supplier
away from the supplier and/or significant financial penalties and/or
organisational change
« Dependency on supplier - Highly dependent on single/niche/specialist Supplier
supplier for bespoke services/goods; very limited — if any - alternative
supplier choice.
« Dependency on the client -There are no other clients who provide similar I Client
service, for example a lot of the government agreements such as Biometrics
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 155 of 212
Tab 8.3 Contract Management Framework & Appendices
156 of 212
Page 32 of 36
Sanctioned / Politically Exposed Individuals or organisation -
Supplier has known connections to a sanctioned individual or is a sanctioned
organisation.
Partner
UKG100044334
UKG100044334
clients such as in bill payment area. OR POL has other ways of accessing the
market.
High Risk Geographies = Supplier's geography of incorporation ‘or Partner
_significant operations rated “Amber” or “Red” on the POL Risk Register.
Relationship may be exclusive Partner
Table 3
Criteria Applicability
Not a core product _ _I Partner
Total value or profit of the expected ‘contract less than £1m ‘per annum I Partner
__(excl. VAT) OR spend is >10% if business unit's cost base a
Potential for adverse ‘reputational / brand impact — POL trademark is I Partner
_used for a very specific purpose that is controlled by POL. ae
Intellectual Property (IP) - IP stays with the party ‘that created it I Partner
Al y of POL to influence the selection of partners — POL has multiple Partner
_competitors in the area and the relationships are not exclusive. _ -
Ease of implementation - Complex implementation effort requiring >6 Partner
months to complete and involvement of multiple business units.
_Expected term of contract of 5 years or less I Partner
Ability to switch suppliers once implemented - >3 months to transition I Supplier
away from the supplier and/or financial penalties and/or organisational
change.
Dependency on supplier - Services/good can be sources from different I Supplier
sources and there is no dependency on the supplier.
Dependency on the client - POL can bid for similar service with other I Client
8.3
Table 4 BRONZE PARTNER
Criteria
Short term agreements or 12 months or less
Negligible spend or value.
No IT systems integration.
No dependency on the partner.
Consultancy agreement
3.5. Partner Segmentation Tool
Partner
Partner
The Partner Segmentation Tool is designed for Contract Managers to correctly assign the
segment to each of the partners they are dealing with and the levels and types of
activities they should be carrying out in relation to that Partner.
&
Supplier and Client
segregation tool.xls
3.6. Required Partner Management Activities
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
Tab 8.3 Contract Management Framework & Appendices
Page 33 of 36
« The Partner Segmentation Matrix and the Partner Segmentation Tool should be used
to determine the segmentation of the potential partner, and therefore the application
of the Framework.
« The following table summarises the partner management guidance for Partners
depending on their segmentation and overall risk level.
« A further good practice guide on the management of suppliers only sets out in detail
the various actions that Contract Managers should consider implementing is included
in Annex 1: Detailed Supplier Management requirements and guidance below.
All PLA ‘= 85 will have a Contact Manager and Contract Owner (in some
circumstances there will be an additional supplier manager) to ensure that the businesses have
single points of contact to each other. The Contract Manager is responsible for the following:
Action Assistance/info/support
Engage procurement prior to spend I Procurement team - procurement
commitment Legal - contract (Consult the Procurement Policy
and engage as required)
Due diligence prior to on-boarding and Procurement team - procurement
contracting
Identification of Contract Manager and The relevant business unit and follow directions
Contract Owner of the GE member (Delegated Authorities paper)
Ensure sufficient contractual provisions Procurement team —- sourcing 8.3
Legal - contract
Appropriate KPIs /SLA’s, which should be I The relevant business unit, LCG, key
approved by the relevant business area, for I stakeholders including IT, DP, Risk, Network
example: services provided via branches I operations, Procurement team - procurement,
should be agree with the network I etc.
operations to ensure that the branchescan
handle performance
KPI/SLA Monitoring Contract Manager
Formal Control checkpoint prior to contract I Procurement team - procurement
signature Company Secretary - governance
Relevant business unit
Handover: Contract Owner to Contract Delegated Authorities paper
Manager
Annual Due Diligence Contract Manager
Management of agreed risk, issue, I Contract Management team
escalation and change control procedures I Procurement and Legal - contract
Conduct annual strategic reviews plus I Contract Manager/Management team;
other service development, innovation and I Procurement team - supplier management
performance review meetings The Legal team
Other key stakeholders as appropriate to the
service
For Outsourcing, completing annual audits, I Risk Team - Audit
regular Penetration and disaster recovery I Procurement Team - Contract
testing, and submission of Qtrly SRM I Legal Team - Contract
Dashboard Information security
Business continuity
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 157 of 212
Tab 8.3 Contract Management Framework & Appendices
Page 34 of 36
UKG100044334
UKG100044334
Exit Management
Business continuity
Procurement team
IT, relevant business unit. Network operations.
All GOLD PARTNERs will be allocated a Contact Manager and Contract Owner (in some circumstances
there will be additional resources to manage contracts) to ensure that the businesses have single
points of contact to each other. The Contract Manager is responsible for the following:
Annual Checks
Action
Supplier financial
Segmentation
stability checks and
Assistance/info/assistance
Procurement or Supplier Management Teams
(SMT)
Templates provided via procurement teams
RACI - identify who is to be Responsible,
Accountable, Consulted, and Informed
Procurement Team or SMT
Ensure business stakeholder approves the RACI
Insurance check
Refer to contract to see what the minimum
requirements are
Contract review and planning session - To
include strategic discussions in line with the
long-term ambitions of the relationship
Risk Team - Audit
Procurement Team - Contract
Legal - Contract
Identify all reviews, audits and contract
requirements for the year ahead
8.3
Commercial review (market comparison)
Procurement Team or SMT
Innovation workshop
Exit Plan Reviews (all elements of service) Legal
Remote due diligence (Service and MI check)} Audit Team
On site due diligence (Service) Audit Team
On site due diligence (IT & Data Security) Audit Team, LCG
BCP Testing/ Review of actions SMT
Risk Team — Audit
Procurement Team - Contract
Procurement Team or SMT
Listen to the Supplier, look into Innovation and
Fin-Tech news articles
Action
Contact for assistance
Supplier Review Meeting (face to face)
Review: Structure changes & Policy Updates
Remote due diligence (Complaints)
Mont
hly checks
Action
Assistance/info/support
Supplier Review Meeting (con call, and face
to face as appropriate) (Service Reviews in
the IT supplier management)
Risk Team — Audit
Procurement Team - Contract
Legal - Contract
Business Stakeholder
Ensure delivery of contractual obligations
Identify and rectify non-compliance with contract
terms.
Review previous actions/ issues and document
future actions
Facilitate decision making & escalation
Post Office Limited - Audit, Ris!
k & Compliance Committee-28/09/21
UKG100044334
UKG100044334
Tab 8.3 Contract Management Framework & Appendices
Page 35 of 36
Identify & manage key risks
Receive and review MI Reports Add commentary as required
Understand and address any under-performance
All will be allocated a Contact Manager and Contract Owner (in some circumstances
there will be an additional supplier manager) to ensure that the businesses have single points of
contact to each other. The Contract Manager is responsible for the following:
Upon any New Term / Renewal
Action Assistance/info/support
Commercial review (market comparison) Procurement Team or Supplier Management
Teams
Exit Plan Review (all elements of service) The Legal Team
On site due diligence (Service)
On site due diligence (IT & Data Security) LCG
Annual checks
Supplier financial stability checks and Sourcing or Supplier Management Teams
Segmentation Templates appended to this framework
RACI - identify who is to be Responsible, Sourcing or Supplier Management Teams Ensure
Accountable, Consulted, and Informed business stakeholder approves the RACI
Insurance check Refer to contract to see what the minimum 8.3
requirements are .
Contract review and planning session Risk Team - Audit assistance
Sourcing - Contract assistance
Legal - Contract assistance
Identify all reviews, audits and contract
requirements for the year ahead
Remote due diligence (Service and MI check)
Remote due diligence (Complaints)
BCP Testing/ Review of actions
Quarterly
Supplier Review Meeting (face to face)
Review: Structure changes & Policy Updates
Monthly
Supplier Review Meeting (con call) Risk Team - Audit assistance
Procurement Team - Contract assistance
Please see example of Agenda within Supplier I Legal - Contract assistance
Management Web 3 Business Stakeholder
Ensure delivery of contractual obligations
Identify and rectify non-compliance with contract
terms.
Review previous actions/ issues and document
future actions
Facilitate decision making & escalation
Identify & manage key risks
Receive and review MI Reports Add commentary as required
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 159 of 212
Tab 8.3 Contract Management Framework & Appendices
160 of 212
Page 36 of 36
UKG100044334
UKGI00044334
All BRONZE PARTNERS will be allocated a Contact Manager and Contract Owner (in some circumstances
there will be an additional supplier manager) to ensure that the businesses have single points of
contact to each other. This will promote and enforce consistent messaging across the relationship.
The Contract Manager is responsible for the following:
Action
Assistance/info/support
Engage procurement prior to spend
commitment
engage Procurement team as required
consult the Procurement Policy
Due diligence prior to on-boarding and
contracting
engage Procurement team as required
Ensure sufficient contractual provisions
Legal - contract
Agree appropriate KPIs /SLA‘s in place
This is a recommended action
Formal Control checkpoint prior to contract
signature
Company Secretary - governance
4. APPENDIX 1 - Detailed Supplier Management requirements and guidance
Detailed Supplier
Management requir
5. APPENDIX 2 - IT Supplier Tiering Model
ITsupplier Tiering
model.docx
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
8.3
UKGI00044334
UKGI00044334
Tab 8.3 Contract Management Framework & Appendices
Welcome to the Post Office Segmentation Tool
This Segmentation exercise should be carried out on all Suppliers and Clients
lof Post Office on an annual basis.
The results of the Segmentation help the Supplier, Client and Contract
Managers to identify what roles and responsibilities are expected of them.
Click on one of the following to begin the Segmentation:
; Client
Supplier 3
: Segmentation
Segmentation
. a Post Office is providing
orpany = providing Products / Services to the
Products / Services to the Post cueae 83
Office (incl Payzone or PO!) (Post Office is the Supplier) .
x 7X 4
POI Sourcing and Supplier Management - 06 2020
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 161 of 212
zizs0zoL
Lz160/82-eemtuMog eouerduod = ¥SIY ‘PNY - PANN eWO 04
Post Office - Supplier Segmentation Tool
Supplier
[Supplier Name (Contracting &
Name Itd =
Registered Address
free text address
[Company Number
‘company number is free text
Post Office Products & Services provided / supported by the
[Supplier
Insurance, FM, Tel Coms, IT etc
Description of Services/Goods
Free text
[Contract Manager Name (Post Office)
Free text name
[Supplier Manager Name (Post Office)
Free text name
IWho is answerable to the Regulator for the Services provided
Value
[Annual spend with Supplier by Post Office (excl VAT)
[Annual Income to Post Office from the Supplier (exc! VAT)
Total Contract Value (excl VAT)
Data
[Type of data Supplier has access to
Is Supplier the data controller or processer
How many items of data does the Supplier have access to
Has the Supplier had a data breach in the past 12 months
Impact to Post Offi
[Supplier Criticality Rating (Contract Manager to score)
Post Office Confidence Rating (Contract Manager to score)
IWhat is the impact to Post Office if the Supplier could not provide
their services for a8hrs
What is the impact to Post Office f the Supplier could not provide
their services for 1-2 weeks
IWhat is the impact to Post Office if the Supplier could not provide
thelr services for more than 1 month
[Risk Rating / Materiality / Criticality Level
[Partner Segmentation Category
aN/A
aN/A
[Comments / Actions
Any info to adda. Free text
UKGI00044334
UKGI00044334
POI Sourcing and Supplier Management
seojpueddy @ ylomewer, juaweBeueyy 322s1U05 €'@ GEL
Lz160/82-22piuMoD souelid.wos = ¥SIY "PNY ~ PBL COWO I04
zizs0eoL
Client
[cient Name (Contracting Entity)
Post Office Client Segmentation Tool
Name ltd
Registered Address
free tent address
‘Company Number
company number is free text
(Client's Products & Services supported by Post Office
Bill payments etc- free text
[Description of Services/Goods provided by Post Office
Free text
(Contract Manager Name (Post Office)
Free text name:
‘Supplier Manager Name (Post Office)
Free text name:
IWho is answerable to the Regulator for the Services provided
Contract & Value
[Annual spend with Client by Post Office (exc! VAT)
[Annual Income to Post Office from the Supplier (excl VAT)
Total Contract Value (exel VAT)
Post Office reliance on Client
Level of integration between the Parties (cost of change)
Post Office's position in the Market
(Confidence level in retaining Client (at next review)
Data
[ype of data Client has access to
is Cent the Data Controller or Processer
How many items of Post Office data does the Supplier have access
ito
Impact to Client
[client perception of Post Office Relationship
[What is the impact to the Client if Post Office could not provide
their services for 48hrs?
What is the impact to the Client if Post Office could not provide
their services for 1-2 weeks?
What is the impact to the Client if Post Office could not provide
Ithe service for more than 1 month?
(eestor aN/A
Partner Segmentation Category N/A
(Comments Taions Tay Info toad Frew tot
UKGI00044334
UKGI00044334
PO! Sourcing and Supplier Management
seojpueddy @ uomewes, juaweBeueyy 3oes1U09 €'8 GEL
z1ZJ0 voL
Lz160/82-22piuMoD souelid.wos = ¥SIY "PNY ~ PBL COWO I04
v0.3
08/01/2019
Paul Dashwood
[Added confidence level based on feedback from initial responses
fongoing.
UKG100044334
UKGI00044334
v2.0
(03/06/2020
Paul Dashwood
[Updated for POLand added Client Segmentation
seoipueddy 9 omewel4 jusweBeuEy) 9eNUOD €°9 GEL.
Tab 8.3 Contract Management Framework & Appendices
1. Detailed Supplier Management requirements and guidance
UKG100044334
UKG100044334
i. Analysis and risk assessment
When to complete I Activity Outputs Responsible
Post-partner ‘Complete a requirements analysis and risk assessment to dentiyienable: Report. Contract
segmentation and ~ The buses process tobe ctsouced and te eto ese nthe cnet of te buses fo Owner
service they support
after confirmation” _ Th requred sonic eels thatthe supper wl have to conto Contract
of service include I ~ The abiity of Post Office to maintain appropriate internal controls and meet regulatory requirements i Manager
outsourcing applicable), particularly if the supplier were to experience problems.
~ Consideration ofthe need to seek 3rd Party [ClintiCustomer/Regulatory] approval or non-objectionI 2
current advice or guidance provided by them, and the need to consuitation with any of these partner
~ Consideration also, of whtor the nature of the outsource wil bring increasod or now risks.
~ Initial consultation and non-objection from partners.
~ Consideration ofthe extent to which outsourcing is preferable to undertaking the activity in-house.
~ Consideration ofthe ability for intra-group outsourcing versus third party supplier and the impact ofI
regulation on that option.
Fi Prepare a high level busines case
When to complete _I Activity [ Outputs Responsible
Post-partner Feean = Nh lini veh is data nd rab ta ows Business Contract
segmentation and I > Aipstenial sat sndosrute ined ard som sftne usciten nsung any cestsavingIncantves tobe pCBSE Owner
after confirmation I _ insiscewith the potential suoelie Contract
Of service include I ~ THY S772 Pubic Prenurenant rane wich mst be fllaced i ater tomuardste sortase Manager
outsourcing l
i Sign-off check point
When to complete I Activity I Outputs Responsible
Post-partner eee RE ST RS SSSA SS SS formal I Contract
segmentation and approval to I Owner
after confirmation I ~ Revievan!spp:cvalctthe hgh inal business ome tom eppcitad axcintble waives otthePost proceed Contract
of service include I. Firrcusta meicaton s rcutedto ersten xz Manager 8.3
outsourcing ~ The cemplam Fultio Procuremant Precass which must be followed in ares to auard ths contract For
ditalt of the Procurement processes plaas araview the Procurement Poly
iv. Full Partner due diligence
When to complete [Outputs Responsible
7 7 Gia Dugeacens Raimed oj Ce Speier Squetaby Teel bP 7
Pre-contracting > creck o“epp'ets castenmerarcs capanty ze coagetarce D Mpnetarce.pentepracees DUE diligence I Contract
and post-partner ane summary Owner
selection - erst petneen me sotrtais.oolermereros ote cttsentasene and action I Contract
~ ss RouzIOn 216 cURL ooNpistoe compantearaowstncnger Plan for any I Manager
boartalRapton open auch ovwkecmbre ornctes wbeconpiers varobisttanees orgy actions — for
. management
$ Srageements Pox oT: po e/Mitigation
sham its anise iim even iin ia"? ANG post
0 andoY exretoveRerinis or Mewes TION COON race
v. Transition Planning
When to complete I Activity [ Outputs Responsible
i i ‘Aarstion GBMifG SSTOSE MET be USE © © RAE SESES OI HE SuneRST aTSTEUN Be
During contracting I "Crete due agence byte servos provider (pacar for cusaurce saves &ereure.a thaigl 9"CCO Contract
undesstandina of the pranesses or sarvces 12 be cutscurnech transition Owner
~ Communication with affected staff #relevant plan Contract
~ Horna ard induction of naw staff to sunport the service outsourced team
~ Training, inawledge wanstes and parallel un between all partes Manager
+ Stabilisation and sfiianoy psricd reauited
~ [Onsheref Decommissioning /staffreductions andicr TUPE jwhere relevant
~ Idantfcation af iste soaofiote the tension oaried wth mitigating actore a ener corte
~ Clear rales an rasponsibiiies on allsides
~ Embedding and schedulina Supple Mananement end SRM! activtios and rescorsibitias ofthe sum
vi. Partner Management Plan
When to complete I Activity [ Outputs [ Responsible
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 165 of 212
Tab 8.3 Contract Management Framework & Appendices
UKGI00044334
UKG100044334
8.3
Pre-signature Of I Agreethe Suppter Management Pian, to include: ‘Agreed Contract
the contract ~ Sete ans ins cranny Aone eat Revi Hinaegs Unk tense, agenda sees Management I Owner
~ Schedule and trings of quarter, manthiy orsagular checkpoint service rvieus (as applicable under yPI@N Contract
‘Supplier Segmention agreed} Manager
~ Schedule and timnss of reciina dus ditvence sctivties
~ sue esesleton she eesshtin procedures, with szcountable une assigned
Defindion of formal Supplier Management Team roles, to include at a minimum:
~ Accountable Executive: Individuel holding overall sccountatlty fo the relationship ad suppl
engagement
~ Business Oumer(s):resresanetve cf business unitw'e receives or ulrecelrs the sevioe {muti
‘Sefined where mufpia ertties cr Unie avevaoeiving services}, Ths & nat the Project Meneg=,
~ Supper Manager. insviauats) ces onsite the dy t day management of he supper celatorshi\
faclltation of SH actives, The Supplier Manager should be identiRed as early ax possible in the
process of selecting a supplier such that they can be part of the team undertaking supplier
‘selection, along with Procurement Complexsuprly eg large outsourcing mey requires number of
rescuroe: to delves the day today commercial management othe Supper. The particular rss and
‘esperstilis within tht team shoul terete b= escumentes within te Suppter Menegement Plan 21
sessile, reoloeted within the Suppl teamfecin ints the Fest Offce.
~ Service Owner: avarallsarvice aunar wh has the haletiview of tha servions being provid to all
Business Ents
+ Service Manager: manages the diy today, business as usual activins betsean thesuppia and the Pe
Office. Niyaupoct te Suncier Manaaw and services cwners in comelaion of thet cites
~ Procurement Resresaratve
vii. Contract drafting
When to complete I Activity [ Outputs Responsible
Pre-signature of I Psssenstandlagslmntie wgagedtesuppat dating fan apamate Ria pee Draft Contract
~ Transtion plan fe! auteurs seivines, vans tional evange ments
the contract ~ Contradual service evls and means of manitsing ‘reporting, including perfomance measures such as Contract, Owner
vist andkey osfarmance indicators (abe nest sect Contract
~ Protein ef confsanta infermation andr sesreastion af information,
= Conthgenay and twsiness corinuty flare and impleretation of equvalenttusiness cntinuay -« LEGal_~—-Risk I Manager
requtererts algned'= Post Ofte pode Note,
~ Termination sights and procedures Applicable
~ Information secuty ard internal sant, auton cavecene, tepartna and ments:ing enveorment
= Vetting of thid panty supplier employees or confirmation of compliance to Post Office standards approvals
~ Service wadés inthe eventsezvice levels ae nct met
~ Complionos with applicable Port Offas plies inducing maarn slavery, athtrBary and caruston
~ Spedal requtemerts such ws ghyical coms conta
~ Ces denies descrtons afthe sense ts be povided end ther asporsBitee cf each party
~ Notation cf ony rataval change in ckeumttanon: of te supplier which could have @ mataral impact 9
the proviion of service
~ Contest mananement and ssalation retusa suds tes stition
~ Ent managemertrighs ard procedures
= nuance cover
> Canentip at lelncual property and dee, end ctlgtions in ses pect management of PR
~ Roles andvessonstiltis, and retictions on changes taker personnel
~ Liniotions cn sut-consactirg e preerpiovelonsutcontscting, end leis
~ Compliance snd co-operation. schere racuted, with apcisble rexustery recuirement and bodies
~ Aus Acoms righ, nstuing terights ofon-sts souees for regulary badies
3 Beochoatng oth comme! aia leva the cue
vi Contracting
When to complete I Activity [Outputs Responsible
Contracting Aareiest of mcs Lesa birenc pepo tr " sstoction, ek Draft Contract
~ Datnkicn cf tical service level (cst time. rsponsivenese, qual, customer satisfaction, valime,
sculaa) overall execttons ofsenice contract Owner
~ Defintion of performance measures {KPeI:spectioparormance masrsures and haw they willbe csiautincluding Contract
fendrepored. KPTs are the indicator and sari warning signe of potertial or sctual reaches of service KPT Manager
loves. -
~ Key Rbk indiesters (KR: lading or Inaeing matics which dentiy amassing ks. supplier
~ Agree marthiy, quatarly, annual enarting and ileequizamens. and thei delivery SLAs toenatiethe Management
‘tevin 12 be managed elecvaly andin a fray ay, Ensure thatPost Ott sblgatins onal 3,
‘toustemer and ofante a baccatsof i order that Post Offoe can mest is cortractual
cbnators on time.
~ Dafne reporting scovscaras and en quieres fr mesturement anc reporting, inluding roles, recipient
cesparebities tor both sides,
~ Agree cortactial consequat of mutesial and cepattve tour vel SLABrmaches, escaiion paths and
epute manaerant
~ Consider service related croumstancas undar hich Post fie would wh to Terminate fr Cause and
‘ersure apercarinte contectual vamedins arin place
~ Ensure mechanism for review and ealgnmentof SLAs/KP6 is induded ts alow toy edltional or redutic
services over te.
~ Ensure eportng end dectattion of complance fer saguatay or cortvatual cblgetions ere detiled
seoarataly,
Reler to Procurement for guidance on KPIs/ SLAs which are appropriatetothe service tobe
provided.
. Contracting
When to complete I Activity [Outputs [ Responsible
166 of 212
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
Tab 8.3 Contract Management Framework & Appendices
UKG100044334
UKG100044334
Contracting
‘Aformal Control Checkpoint must be condutted and approvals documented. Business Owners @Minutes
Procurement should consult with Post Offine Company Secretanatto ensure governance is
~ Accountable Executive, recvesertatives fram General Executive / Board es ancromriste
~ Managers of business areas imcaded
Leal, Rise
Procurement
Supplier Manager
Business Ouner
Service Mananer
‘Checkpoint meeting must consider and approve, in principle:
~ The proposed govenance and suppllay management spprcach, insuding¢cles and emepecrsibitis via
Supcliar Maransment Pian.
~ Key contectusl terms end conditions vis the dra contact ard Contrect Acprovel Form
~ Sumerary of supplier sss, due dilgance actions teen and any residusl risk requ ing past-contect
mitigation cr sign-off by the Accountable Executive(s}
~ Undated final business case
‘Tuansition Plan
Go No Go decision to proceed to contact signing and trensition.
Dratting nota: CAF is under reviews. Subject to Co-Seo approval this process may take place virally, vis
Contac! Sum m ay Form wnt around and oanpielion ¢ tre CAE prosene]
‘The efendees should incde a> appropri [mendetryatendees in bold meetings,
scorecards Contract
of I Contract
Owner
Manager
x. Contracting
When to
complete
Activity Outputs
Responsible
Contracting
The Busi
35 Oumer should complete a minuted Handover Meeting tothe nominated Supplier Handove
Manager which ensures successful transition to the Supplier anager, inchiding r
~ Rees andireepens tities clasrh ayreed are communiceted
~ Supplier Management Plan agreed and handed over documen
‘Soheduling of annual activites including Due Diligence ts
Scheduling of performance monitating activites
Scheduling ofreviens bath internal end with the Suopiar
Schedulina of Monthly’Quarterly SM Dashboard submissions for Oubourae}
Agised next slaps fb establish perfarmsnce monitoring, veparing, rei end issue management sscalst
‘and channe contra processes and thesetention cf decumentatisn relating to those.
~ Change nstes, bling and invoice mananemant {internal SLAs cn tuinarcund times)
Contract Owner
Contract Manager
8.3
xi. Contracting
When to I Activity Outputs I Responsible
complete
Post-signature "The Business Ouner chould complete aminuisd Handover Wieeting tothe nominated Supplier Handove I Contract Owner
and : Seager shichensines miceruh trannies oat r Contract Manager
implementation I > Simei soragumert Han aged ord handed over documen
~ Sohedulina of smnual acivites including Due Ditaence ts
Scheduling of performance monitating activites
Schedulina ofreviews bath internal and with the Suotias
Schedulina of Monthly’Quarterly SM Deshboard submissions for Oubou ae?
~ Agreed need steps t establish performance monitring. reporting, risk and issue management sscalst
‘and change contra! crosses and theetention of documentation relating to those.
~ Chanae nates, bina and invcice management{internal SLAs on turnarcund times)
xii. Annual Due Diligence
When to I Activity Outputs I Responsible
complete
“si “The Supplier Hanaga b wesponsble by conplathg requied anfuel due diigeice ova timely bab. The;
Post-signature I Jiosnoceequtss 0 depencert sn the segreniaon of hesurpiw. Thesuppler shou becesegrene Results Of I Contract Manager
and Suolae Mateoe:sstoudrela isthe test vaslow the Sure Searmntaion Toc ants Proouere UC
implementation diligence
. Minimum requirements for Strategic /High Risk supnliers
annual > Financial Heath check
~ Conflict of trast checks Issues
~ Operators and Capstity sssesement noted in
~ Raviay of company infermation, CSA, ragulatay andre mmagerant background due
~ High Rk country oF Ssnctions. Low ek tos Post Cfloe hoxever, any off hore Incetions relevantte se U6
should be core dered diligence
escalated
Minimum requirements for Strateaic /High Risk suppliers including Outsource: to
~GChtand B quertaweres cratstarert tomsurote cto change
~ (nua! Aust tobe discussed a RCC, posiby applesbie to EO! and AMG retstorenipe?g — appropriat
> Evidence ot dbaster reaorery /ECH and pandratio testing ae required e
* statementot ans eviance f comolanoe inva contecualabigeticns aa st vetina
individuals
‘Minimum requirements for Critical suppliers or
~ Chel and 1S questicnnates or statement homsuprlies of no chenge business
~ Financial Heath check f fobe dacunsed. subject foreview cf fil mumber of mesiars deemed! ite Ao
Monthly performace review
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
167 of 212
Tab 8.3 Contract Management
Framework & Appendices
UKGI00044334
UKG100044334
8.3
When to complete I Activity [Outputs Responsible
Post-signature and thy Nervioe Performanos Review Minutes of I Contract
implementation - I Atancess 1s inciute: meetings Manager
monthly ~ Savielar Rainanie
~ Business Ounee i
> Saving Manssar Risks and
~ Proguramartas raquast #tnae sa pertormanas ssun or comercial a:padt ts he deaussion. Net: in controls log
complex Cusauroe arergemants, Proswerent ie: ponsibliies maybe delegated & « Commercial
Vendor Manages a part st the Suepler Rlanagerteamresporsible fr the supple. Unde these
ceourstanoas, Poturermert should attend arnualy ata minimumor whera ture & © depute Change of
Aaende
~ Review of (PS and service performance inthe pstiod control log
~ Financial oatrmance, tiling and incicia, ened debt
7 Agree pertaranas frovoverrart acre and inklantrazchiton acts Any relevant
~ Review and aprove Chanze Ramusts
~ Review open Actions Loa documentatio
~ Review open Rbk Lan n
~ Review any comianoe ot sonbactual sbfastion activity ie.
xiv. Quarterly performace review
When to complete _I Activity I Outputs Responsible
Post-signature and I srry Service Development Meeting Minutes of I Contract
implementation - I ssenjess to incude meetings Manager
quarterly ~ Supplier Manager
~ Business Onna Risks and
~ Sevioe Manager
» Ascountatile Eaacuthe controls log
~ Freevemert
lunes err Ue recta Change of
~ Business review induding service and financiats control log
~ Review of mie! rende and bading uedatee
1 fqreumen ey dere, Tearstion Pan tapped) ands df Patemrence naovenen TY Felevant
Pine = + Teretion Pian eprops) abstemenssimes=" documentatio
~ Review and aporocal f significant Channe Request n
~ Review stany suit ret assessments or findings
~ Innovation actions, activity av apscrtunitios
= Service mgrovemamt specrunties, actions
xv. Annual strategic review
When to complete I Activity [ Outputs Responsible
Post-signature and I Annual StrategicReviewmeeting Minutes of I Contract
implementation - I spandaes to mouse: meetings Manager
annual ~ Supple blanaaer
7 eons: Risks and I Contract
~ Service Nimans
> Procuemert controls log Owner
~ Accountable Executives of both sarties
~ Business Owners Unit
> Other Business fincsors at ther decretion {Rk BCH Information Seouriy, Lazal, HR. internat Anse CHANGE of
Agenda control log
~ Overall radina and mateet sonstiors review: etemsl and ters inescs
~ Review of ennual dus diligence and egresment to mitigating actions
~ Review of complianse to intemal poloias, cont actual obligations and extemal regulations. Any _ relevant
~ Review cf Sevies Levels and KP documentatio
~ Review offinancial stats and any reictaward wotore ralvant n
~ Review of oontnuira scsxecriatensss of contracts terme
~ Rvigw and apnrovalafsianifcart Changs Requests and plans as aquted
~ Netw business opportunitie Improvement
= sais scant gr
Updated risk
logs
xvi. Exit managemet
When to I Activity Outputs Responsible
complete
168 of 212 Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
Tab 8.3 Contract Management Framework & Appendices
UKG100044334
UKG100044334
Exit
“greement of s detailed Exi Management Pian, to Indude, where ralevant Exit
~ Communicstion with affected emctoyees managem
[Hire eft Wchcton cf nai. empleeas os amccultof beuidra, wana devant ent plan
= Traivina
> Peterin and stabilation approach
~ Stabilissticn’wind down and efficiency ceriod Contract
~ Suroiier sescrimssioning’empleyee impacts exit plan
~ ISentifcation cfrishs speoifiots the tansiton cericd with mitigation actors as sporceriste
= Transfar‘conmrship of shared assets owned cr assets provided by ether party
~ Remutements cf terminsticn’ect notice to surclier induded in timelines. Audit trail
‘Completion of an Exit Management Control Checkpoing to include the folloing attendees and ager
items as appropriate:
> Post Office CEO, Past Office Anncuntable Exeo{s} a valevant, Business Ownes, managers cf Business
‘reas impacted, Legal, Procurement fearly engagement of Procurement & essertial plan any activity 1
Soures an ahernativesupsliar
~ Supplier Accountable Executive and ather individuals as required ty the plan
~ Review and snieementof exit mananement plan
~ Galo Go dacision on ext
‘Aldcoumertation, plans, mesting minutes and forrral ciotactual documents relating to the ext must be
‘stained by the supplies managerbusiness cum for future aust
Contract Manager
Contract Owner
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
8.3
169 of 212
Tab 8.3 Contract Management Framework & Appendices
Determining Tiering -
Instructions
Gn the slide betow, cunsider each colurnn in tuen apd the relevance of the statement in relation 19 your supplier
Determine a Score tor the supplies trom A (1 ~ 10)
Highlight the boajes) applicable ~ please eresure oily 1 Box is highlighted on the columns {uertical) hemes
Total the uriber af hhtigheed bans in each rer 1B)
Iultipty 4 x 6 to give yau the score under column €
‘Column © ~¥/N, do the Contractod services have SLA’s that bitk off to o Clive Contract that could impact POL with severe financial
erates. it, the Vivi at their Giscretion:-can rote the outcome of that risk (1 law ~ 10 high) and if deerned ratevont will impact on
the Tlering autcome i.e add the stare of B to cokmn C, Just one score to add te column C
‘Tresing will be determined Tier t= 56-70,
+= 80-55, Ter = 16-35, Ter 4= 1-15.
N.S Customer: definition is as per usec of the sorvier Le internet users orend user ea Rast Olfice customer You should ely hue one hightigbtod vn
ach colema hence the moe score wild be 5D
lmptet on Baninese: Plaece tensidee rmputation 2f Post Olive should the endor’s serwree be edvecsuly inizacted Jor axsonple
xeric
woes
‘ye? 15earoF
emasen
vpreeky
170 of 212
Naimgact
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
8.3
UKG100044334
UKGI00044334
Tab 9.1 Procurement Governance & Compliance
POST
OFFICE
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
selae Procurement Compliance & 7 .
Title: Governance Report Meeting Date: I 28 September 2021
Author: Barbara Brannon, Procurement Sponsor: Alisdair Cameron, Group Chief
Director Finance Officer
Input Sought: Noting
The Committee is asked to review the report, noting any Procurement Risk Exceptions
submitted to the Post Office Limited Group Executive and Board since July 2021 and to consider
and give direction in respect of the contracts in the Procurement pipeline which are high value
and at risk of being awarded or extended non-compliantly where noted.
Previous Governance Oversight
* March 2021 - RCC, ARC and Board Submission
e May 2021 - RCC, ARC and Board Submission
e July 2021 - RCC and ARC Submission
Executive Summary
As a business in receipt of public funds Post Office Limited (POL) is bound by the Public Contract
Regulations (2015). PCR 2015 oblige POL to behave in a fair, objective & transparent way when
contracting with 3 party suppliers. Additionally, set procedures must be followed for spend
above £25k and £189k.
The purpose of this report is to set out both breaches to Post Office governance and key controls
around contracts and compliance to PCR regulation in the award of contracts.
The aim of collating this information is to drive improvement in awareness and compliance
behaviour across the organisation. The second and primary aim is to work with GE and Business
Units to commence commercial reviews in a more timely way ensuring POL obtains value,
commercial and contractual flexibility fitting the requirements and business strategy of the
organisation.
In March 2020, Post Office Board requested prior approval of all Exceptions. This was revised
in September 2020 to above threshold Exceptions >£189k only in a revision to existing
governance. From November 2020 sub threshold exceptions will be submitted to the Group
Executive for prior approval and reported retrospectively to RCC and to ARC.
A Procurement Risk Exception Note is required to accompany all Exception Requests and a
Legal Risk note for requests >£189k.
Strictly Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 171 of 212
UKG100044334
UKG100044334
Tab 9.1 Procurement Governance & Compliance
Questions addressed
1. How many and what types of procurement risk exceptions have occurred in the past
quarter?
Since the last RCC report at the end of July there have been no Procurement Risk
Exceptions submitted to the Group Executive & Board for approval.
2. What are we doing about it?
Active reviews continue with Business Units with the highest values relating to non-
compliance.
Our overall
the Marketing Media tender from
further with the successful completion of
A visual breakdown on all Open incidents at 1 September 2021 is available in Appendix 1.
3. What is in the current Procurement pipeline which is high value and at risk of being
awarded or extended non-compliantly?
There are three potential Procurement Risk Exceptions pending:
a) Postal Orders & Camelot Cheque Clearing processing services - this is a !IRRELEVANT
expiring in March 2022 for which the cost of change is very
material. A business decision has been taken to bring a risk exception request to GE
& Board in late Autumn. The current timeline is also driven by lack of sight as yet on
the outcome of the National Lottery tender process, and the technical/product
roadmap for Postal Orders and how they will be physically processed and sold in
branch with SPM.
b)
The in December 2021
a IRRELEVANT _ Current cost
is circa:
services!
However, this must be formally evidences
analysis is currently underway. There is insufficient time to run a full
and this market
ub! rocess
c) Areview of the PCR status of the legal advice relating to the Inquiry is underway. A
further update will be provided to GE & Board in October.
Strictly Confidential
172 of 212 Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
Tab 9.1 Procurement Governance & Compliance
Risk Exceptions are subject to extensive internal governance, legal and risk review, in line with
POL governance guidance on value and risk. This is reflected in the material reduction in the
value of open risks over the past 3 years.
Individually, all large value non-compliant contracts have been reviewed by appropriate Post
Office governance forums with agreement on next steps and actions towards remediation
allocated where appropriate and/or available.
Executive support towards moving POL towards a more compliant footing is very strong, but
equally as important there is extensive support towards the cultural change required to ensure
that Procurement activities and outcomes will support longer term business strategies and we
reduce commercial risk making our 3 party arrangements fit for purpose.
Report
4. What are the potential consequences of non-compliant awards?
a) Pre-contractual remedies overview: During a Procurement, an aggrieved party can
seek an interim injunction suspending the tender or the implementation until the court
decides on an outcome.
b) Post-contractual remedies: The court can order an ‘ineffectiveness order’ rendering
the contract void &/or can award damages.
5. Why are these incidents of non-compliance occurring, and what can be done
about it?
Non-compliant awards may be made for a number of reasons at the Post Office.
a) Low value, time constrained or highly sensitive/specialist engagements are not
uncommon.
b) Large commercial arrangements cannot often be easily competed or unravelled
without operational impact, and re-procurement may be subject to a pending evolution
of a supporting Business Strategy and/or completion of large, and complex technical
programmes of work to maintain or enhance services prior to a possible exit.
c) The contractual arrangements may pre-date PCR 2015 regulations or the contract
novated during separation from RMG, automatically becoming non-compliant at the
renewal point. Non-compliant awards are frequently made on a tactical basis to extend
contractual services while public tender processes are executed.
d) Delays to public sector panels of suppliers becoming available. The Post Office makes
extensive use of this low-cost route to market and new/refreshed panels are subject
to frequent delays from Crown Commercial Services. Single interim extensions [of
periods under 12 months] while tender processes are run are considered to be low
risk legally.
e) Changes in scope or value over the term of a contract may render the extension or
renewal of services non-compliant. Material changes to the scope of a contract may
render the whole contract non-compliant.
f) Disregard for, or lack of understanding of the regulations.
Strictly Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 173 of 212
UKG100044334
UKG100044334
Tab 9.1 Procurement Governance & Compliance
6. Why are we recei
A decision to collate this information into a single location was taken in the Autumn of
2016. The aim is to track and improve our overall compliance and commercial results as
an organisation, while also ensuring perceptions are accurate. However, it should be noted
that it will facilitate timely responses to Freedom of Information requests which adds risk
to the Post Office commercial landscape.
7. Are any of these breaches arguable on regulatory grounds or are they all
breaches?
A full explanation of the individual compliance breaches for direct awards over £189k
[previously £164k & £181k] threshold is attached in Appendix 1. Each entry details the
nature of, and the value of the breach. The threshold is altered every two years based on
the FX rate between GBP and the Euro.
The Procurement Compliance Register does not at present give an indicative risk level
attached to the award. This information is provided to the accountable executives under
internal governance processes in the form of a PCR risk note before a contract above
threshold is entered into, and if necessary, under Legal Privilege. In addition, all
signatories to a contract have sight of the Risk note as part of the Contract Authorisation
Form [CAF].
All entries are compliance breaches. A period of challenge applies to each PCR breach once
an aggrieved party becomes aware or ought to have become aware. This risk finally
expires at 6 years from the date of breach. The defensibility of a legal challenge is outlined
within a Risk Note.
8. How many of the breaches were approved in advance and how many
retrospectively?
All contracts entered into during this period were compliant with internal governance
processes on contract and commercial review.
9. Why were the approvals given?
The rationale for approval is relevant to the individual service and is detailed within
Appendix 1.
10. What were the unapproved, material breaches?
There were no unapproved, material breaches during this period.
11. Describe what you are doing about the breaches. Where we are in breach, do we
have a plan to come back into compliance and over what time period will that
plan take effect?
a) A forward view of material contracts falling under each Business Unit is currently
prepared by the relevant Procurement Manager for discussions with their key
stakeholders. The maturity of this look ahead view does vary currently and is
consistently a high priority activity within the team.
b) Sourcing options papers are prepared for review by contract managers and key
stakeholders [risk, legal, security] with routes to market agreed. In many cases these
are dependent on evolving business and operating model strategies and the
Strictly Confidential
174 of 212 Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
Tab 9.1 Procurement Governance & Compliance
Procurement team are © actively involved helping to advise and review options as
thinking evolves.
c) Where a non-compliant award is proposed due to time pressure, Procurement are
actively working on long term mitigation with awards made on an interim basis to
meet urgent operational needs.
d) Each RCC member now receives a regular report on compliance within their business
unit[s].
e) A Risk & Governance process requires a Risk Exception report to be created for non-
compliant direct awards with GE sign off.
f) Awards over £189k must have prior Board approval before being entered into.
g) All Professional Services engagements must be approved in writing in advance by the
CFO/COO. A compliant panel of preferred consulting partners has been appointed and
proposed engagements outside of this panel are subject to additional review and
challenge.
h) Procurement provides training as part of the revised Induction process for new staff.
Training packs are being updated for existing staff and a new training module made
available on SuccessFactors. Ad hoc training sessions for interested Business Units are
also run.
i) Anew Intranet site has been launched for Procurement to improve visibility of process,
regulation, and the panels of approved compliant suppliers available to POL business
units.
j) Arevised POL Procurement Policy and supporting processes is in progress giving more
granular guidance.
k) Using Crown Commercial Services frameworks, panels of Preferred Suppliers are being
refreshed and updated across a wide range of spend categories to reduce time to
market, improve compliance and greatly improve commercial outcomes and legal risk.
I) A planned change to operational systems will, once live, give Procurement earlier
visibility of potential compliance issues eg: contractual value thresholds.
Risk Assessment, Mitigations & Legal Implications
12. As a business in receipt of public funds POL is bound by the Public Contract Regulations
(2015). PCR 2015 oblige POL to behave in a fair, objective & transparent way when
contracting with 3 party suppliers. Additionally, set procedures must be followed for
spend above £25k and £189k.
13. Failure to abide by the legislation or “slicing and dicing” contracts exposes POL to risk,
both as far the commercial outcomes of the contracts as well as the reputational damage,
legal remedies, censure & fines that can follow the discovery of a breach. Our compliance
to PCR can be requested under a Freedom of Information request at any time.
14. The PCR Compliance Register allows for the tracking of breaches to PCR regulations at the
Post Office and internal governance processes. One aim of collating this information is to
drive improvement in awareness and compliance behaviour across the organisation. The
second and primary aim is to work with GE and Business Units to commence commercial
reviews in a more timely way ensuring POL obtains value, commercial and contractual
flexibility fitting the requirements and business strategy of the organisation.
Strictly Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 175 of 212
UKG100044334
UKGI00044334
Tab 9.1 Procurement Governance & Compliance
15.
Contract and financial governance policy and processes at Post Office are set by the Legal,
Risk and Governance team with clear guidelines for staff availably on the Company
Secretariat team intranet site. This sets out steps to be taken to obtain financial and
contractual approvals prior to making a binding commitment to an external party. Non-
compliance to internal governance processes are also captured within this report.
Strictly Confidential
176 of 212
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
\zre0/ez-2omunwen soueyduiog @ vend ‘ueny - paw 82M 80a
ZbzsOLLb
UKGI00044334
UKG100044334
Appendix 1 - All Open Material Incidents
cement
iiteationy
Bread itype 1
Strictly Confidential
AS Functor Amber SupelerName Ree Governance
I hasta ECR sresnold
23/12/2019 ‘Corporate Affairs & [Richard Taylor ICardew Group £ 452,860.60) 31/12/2021
‘comms
29/03/2020IMarketing I Marketing & Brand [Owen Woodley ICACI £ — 392,380.00I01/04/2022 ce
25/06/2020 [Banking Services Commercial (Owen Woodley [Barclays 1,600,000.00I 30/12/202: board
25/06/2020 Banking Services Commercial ‘Owen Woodley [Barclays £ 150,000.00] 16/03/2022) Pen board
'10/07/2020IPublic Affairs [Corporate Affairs & IRichard Taylor [Lexington Communications I £ _505,952.00/31/07/2022 leoard
‘Comms
£3,101,192.60
eoueyduiog @ eoueWends juaWielnoog I'6 G21
UKG100044334
UKG100044334
Tab 9.2 Bulk Cheque Clearing Account
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
Bulk Cheque Processing Contract - Meetin
Title: appointment of Exela Technologies Date: ‘9 28" September 2021
Ltd as new supplier .
. Antony Ray, Senior Procurement . Owen Woodley, Group Chief
Author: Manager - Finance Sponsor: Commercial Officer
Input Sought: Decision
We are recommending the appointment of Exela Technologies Ltd (Exela) as the new
provider of Bulk Cheque Clearing services as;
a. They have won the recent tender
b. Met all criteria mentioned in the tender
c. Taken steps to address the subsequent concerns mentioned in this paper
d. Created an appropriate commercial model.
POL recently tendered the Bulk Cheque Processing service and this exercise was won
by Exela who submitted the only acceptable bid. Whilst the Exela bid ts all
technical requirements and offers{ IRRELEVANT ~~” {Barclays)
there are two points of Treasury policy lered before m:
otherwise be a routine award of contract. Namely;
a) The lowest credit rating allowable under Treasury policy for financial institutions
In order to provide the full end-
IRRELEVANT I Both institutions do have a strong Dunn and
Bradstreet rating of 5a for financial strength and a low risk rating of 1. As their
bid stands POL would not be contracting directly with a bank but rather with
Exela.
b) Treasury policy states that approval of new financial institution counterparties
needs to be provided by ARC and that financial institution counterparty limits
need to be provided by ARC. POL would be contracting with Exela who are not a
financial institution in themselves.
There is a further general concern from Treasury that a Cheque processing
hen compared to closed loop we
This recommendation was approved by the Risk and Compliance Committee on
14* September 2021.
Previous Governance Oversight
Confidential
178 of 212 Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
Tab 9.2 Bulk Cheque Clearing Account
. Approval of a 6- month non- compliant extension to the existing contract ‘with
Barclays by POL Board May 2021 to facilitate changes to tender requirements
following Banking Framework negotiations.
. Approval of a 1-year non-compliant extension in June 2020 by POL Board in
order to tender the services.
Executive Summary
Barclays currently provide cheque processing services for the out-clearing of Personal
and Business cheques that we accept as a Method of Payment (MOP) at our Horizon
Counters. The service also includes Banking Framework processing services for Cheque
Encashment and Partner Bank Cheque Deposit Envelopes.
These services commenced in 2011 under an OJEU Tender Award, with the OJEU Notice
stating a total contract duration of 8 or more years. However, the contract awarded was
on a 5+3 basis. The contract was extended to 30 June 2020 following previous internal
and external legal procurement advice from Stephenson Harwood which cited
Regulation 72 exemption for modification of contract. Additional advice was also sought
and obtained from Ashfords to extend the contract to 30 June 2021. A decision was
made to extend non-compliantly as no exemptions applied at this stage following
legislative changes to public contract regulations in 2015.
In order to put the contract back on a compliant footing the decision was undertaken to
conduct a tender. This process commenced in January of 2021 under a Restricted
Procedure which does not permit negotiation.
IRRELEVANT
However, it should be noted that even if Barclays had remained under consideration,
the tender ¢
Exela Technologies Ltd, the winning bidder have a favourable Experian report (See
Appendix A) which ranks them as “very low risk”. Their parent company Exela
Technologies Inc in the USA has a less favourable rating of “outlook negative” as can
be seen from the Standard and Poors abstract in Appendix A.
It should be noted that the financial standing of a parent company is not normally
considered a factor that would justify the non-award of a contract if the main
contracting party had a good financial rating.
The factors that would allow for disqualification on financial standing grounds as
included in the Supplier Questionnaire are:
1) If the contracting party is insolvent or bankrupt.
2) If their turnover is less than £9.6m per annum
3) If a-single client is 20% or more of their annual turnover.
Exela Technologies Ltd pass all those criteria.
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 179 of 212
UKG100044334
UKG100044334
Tab 9.2 Bulk Cheque Clearing Account
180 of 212
Whilst Exela can provide the processing of the cheques they need to partner with a a
bank which has clearing ca biliti 5 to end clearing
service. Exela can parenerI
ey are award winning in the Fintech sector and have a Dunn and
Bradstreet rating of 5a for Financial strength (tangible net worth £35m and above)
and a Risk Indicator of 1. Minimal Risk. They run two Bank of England accounts as is
required of all clearing banks. They don’t however have a Standard and Poors or Fitch
rating.
[IRRELEVANT ; re more well known and a longer established clearing bank. Their Fitches
‘rating is B+ ‘(See Appendix A).
To provide the service Exela will open an account with the nominated bank where the
cleared finds will be held until swept to POLs corporate account with Barclays on a
he value of funds accruing on a dai basis could be up to
i ‘The account will be
Operated in such a way that funds can only exit the account ‘by being passed into
POL's Barclays corporate account.
ARC are asked to note and approve the recommendation to award the Bulk Cheque
Clearing contract to Excela.
Questions asked & addressed
1. What are the issues with awarding the contract to Exela?
2. What options and mitigations could help to address these issues?
Report
What are the issues with awarding the contract to Exela?
1. The first is that the lowest credit rating allowable under POL Treasury policy for
finan: mit £30m). So far
Exela’ who have a Fitches
rating of B+ and Clearbank who do not have a Fitches rating. Both institutions do
have a strong Dunn and Bradstreet rating of Sa for financial strength and a low
risk rating of 1. Technically POL is not partnering directly with these banks. They
are a sub-contractor to a relationship POL would have with Exela. RCC approval
for Excel
2. The second is that Treasury policy states that ARC need to approve any new
Financial Institutions we partner with and set the appropriate limits for that
partner. We are not directly entering a relationship with either bank (although
that does remain an option if POL thought it preferable) as the contractual
relationship is with Exela and RCC approval to this arrangement was granted on
15 September 2021.
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
Tab 9.2 Bulk Cheque Clearing Account
UKG100044334
UKG100044334
__also have a higher credit rating than
so concern linked to the financial
standing of the Exela’s parent company.
What options and mitigations are available to address these concerns?
4.
With regard to the Credit Rating point Exela have said it may be possible to
partner with a Bank with a standing of BBB+ or above.; IRRELEVANT :
the most likely prospective partners but Exela will need to neg
of these partners in order to set up the required processes. Additional costs may
be charged for the upgrading of the requirement. After further discussion on this
point at Steerc: ith Treasury and at RCC the consensus is that Exela
partnering wit js an acceptable way forward.
The concern reg increased risk of the new proposed arrangements
when compared to the existing fir jased system will be addressed in the
following ways.
a) r
b)
, IRRELEVANT
qd)
i IRRELEVANT n 2017 they partnered with Vocalink to
build thé UK image clearing system (The Switch) through which a 100% of
cheques are cleared. They provide more service and tech platforms to the cheque
clearing industry than any other supplier.
They currently provide full cheque clearing platforms and infrastructure to
Santander, Allied Irish Bank and Bank of Ireland.
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
181 of 212
UKG100044334
UKG100044334
Tab 9.2 Bulk Cheque Clearing Account
9. By moving to Exelaa
compared to the existing
Risk Assessment, Mitigations & Legal Implications
10. The assessment of risks, mitigations and legal implications is provided in the table
below:
Risk / Legal Mitigation / Control
Implication
Not awarding a contract I It may be difficult to defend such a challenge but the
because of credit rating I value of funds being held in a sub-contractors account
of the counterparty’s I may provide mitigation.
parent credit rating is
very unusual and could
give rise to a challenge
from Exela.
Not awarding a contract
because aI Mitigation is provided to some extent by us allowing
counterparty’s sub- I Exela time to come up with a Banking partner that will
contractor does notI meet the required standard.
meet our Treasury
credit rating policy may
lead to a challenge from
Exela on the grounds
that such a requirement
should have been made
known at an early stage
in the ITT process.
Stakeholder Implications
11. These have been fully considered through a Steerco led procurement exercise
with the involvement of affected stakeholders. A move to Exela is acceptable and
will result in the cost saving above.
Next Steps & Timelines
12. The steps required to progress are provided in the table below:
[Step I Description [ Timeline
Confidential
182 of 212 Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
Tab 9.2 Bulk Cheque Clearing Account
1. ARC Decision based on this paper will determine I 28 Sept 2021
next steps.
2. If_no further vals ni POL will seek to I 1 Nov 2021
contract with Exela by early November 2021
Appendix A
1. Exela Technologies Ltd Experian report
2. Exela Technologies Inc Standard and Poors rating
https://www.alacrastore.com/s-and-p-credit-research/Research-Update-Exela-Technologies-
Inc-Ratings-Affirmed-Following-Equity-Offering-Outlook-Negative-2690281
3. Co-operative Bank Fitches rating
https://www. fitchratings.com/research/banks/fitch-upgrades-the-co-operative-bank-to-b-
outlook-stable-21-07-2021
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 183 of 212
Tab 9.2 Bulk Cheque Clearing Account
2Sxperian
Date Incorporated:
27 October 1976
Age of Company:
44 years 10 months
Registered Office:
BARONSMEDE THE AVENUE, EGHAM TW20 9AB
Website *:
UKG100044334
UKG100044334
Industry Type:
OTHER COMPUTER
RELATED ACTIVITIES
fi
Credit
Assessment Commercial Delphi Days Beyond Terms CCus ‘Alerts
Eikibaing :-dDeelphi Score: Company In last 2 Years: No. of
Sei aul ad fas DBT: Trend: (jmp) Alerts:
£ 430,000 W gz way
Credit Rating: 2
£ 140 000 Calculated on 12 August 2021 at
3 11:55:30 (Jul 2021)
Delphi Band: This company pays
i beyond its terms
Very Low Risk Industry DBT
Failure odds (next 12 (Jul 2021):
months): 31
Calculated on 12 August 2021
at 11:55:30
Most Recent Legal Notices
No Legal Notices Recorded
‘Sarene.ca coo Tumba o'Curent reco 2
Latest Accounts %Change from Trend
31/12/2019 31/12/2018 Ahmibor thet may sea be Sharsholies 0
Total Turnover 36,958 (3.01) a
— (216) (109.90) Companies in Group 5
Pretax Profit Margin % (0.58) (110.12) oe
EXELA TECHNOLOGIES
agetaeee) 57,537 20.39 i INC
ee 27,449 11.68 a BTC INTERNATIONAL
neciaeines 6,068 (31.26) 5 HOLDINGS INC
‘Number of immediate Subsiarios 3
= Credit Assessment #
Coleetd on 12 Aunt 224 at 15:30
Saari Fania Say emo
Sector £430,000 anmerel Dap See 93 out of 100
bane heal £140,000 epseeieauece Very Low Risk
red Opinion Fare Onde 404-1
» A very low risk company; no hesitation in recommending credit
transactions to the limit assigned.
Commercial Delphi History up to Last 12 Months
‘Commercial Delphi Score (out of 100)
Credit Limit and Rating
184 of 212 Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
Tab 9.2 Bulk Cheque Clearing Account
Bess 8 3 8 8 F
Risk Score
Delphi Score GD
Date
‘Aug 20
Sep 20
ost 20
Now 20
ee 20
san 24
Feo 21
ac 24
ape 21
May 21
sun 21
2
current
Commercial Delphi Score
(out of 100)
100
100
100
100
100
84
84
68
57
57
93,
93
93
UKG100044334
UKG100044334
sane
ssa
san
same
amo
15000 ff Aerie your
100,000 ~
Sh 82 8 e253
Credit Limit Credit Rating GE
Credit Limit Credit Rating
£480,000 £160,000
£480,000 £160,000
£480,000 £160,000
£480,000 £160,000
£480,000 £160,000
£340,000 £130,000
£340,000 £130,000
£210,000 £100,000
£180,000 £88,000
£180,000 £88,000
£430,000 £140,000
£430,000 £140,000
£430,000 £140,000
Commercial Delphi Sector Comparisons
EXELA TECHNOLOGIES LIMITED has a Commercial Delphi score of 83, this means thatthe odds offalure are 10777
EXELA TECHNOLOGIES LIMITED has been compared against other companies in the same industry sector 6 of
‘9 171, This company currently has a Commercial Delphi score higher or equal to 98% of other companies in this 3
EXELA TECHNOLOGIES LIMITED has been compared agai
int other companios that are In the came ascat size grou
fallure odds of 4:1. This company current has a Commercial Delphi scare higher oF equal to 59% of other companias inthis sector.
EXELA TECHNOLOGIES LIMITED haa been
dle of 4:1 This
‘company currently has a Commercial
red ag
inst othe that ae in the same age 49h of al scored: ae in this sector, which
Delph score higher or equal to 67% of ether companies in this sector.
‘scored companies are inthis sector, which currently has an average score of 43 and failure odds
3% of all scored companies are inthis sector, which currently has an average score of 76 and
has an average score of 76 and failure
Commercial Delphi Sector Comparisons
Commercial Delphi Sector Comparison
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
185 of 212
Tab 9.2 Bulk Cheque Clearing Account
ec STRUBEEEEUS RATER REE
UKG100044334
UKG100044334
& a bal & i a bal 5 a ial iad §
a a 8 s g Ej i 3 i z Ej Es
[deiis Company 4- scored Companies 7 Some ndusty Grw 4}Sane Asset Ske Grow Sane Age Group]
Date Aug Sep Oct. «ss Nov. (Dec = Jans Feb) Mar = Apr. May = Jun. Jul Current.
20 20 20 20 20 24 2 2 24 24 24 24
‘This Company 100 100 100 100 100 84 84 68 57 57 93 93 93,
acaneeanicia: 43 43 43 43 43 43 43 42 43 43 43 43 43
Same inceony Grow 43 42 43 43 43 42 42 42 43, 43 43 42 43,
Serene ore 78 78 78 78 7 77 7 76 77 7 76 76 76
Same Age Grour 7 7 7 7 7 7% 7% % %7 77 #47 #776 £76
Comparison Sector Details aS Sees
Industry Group Computer and Related Services
‘Asset Size Group £5,000,000 to £200,000,000
‘Age Group Incorporated before August 1990
d 10 a rrrr—r—~—C“ SU
31 December 20 S lene 24 a . Shee oe
‘Show al financial deals
Date Of Accounts 34/12/2019 34/12/2018 senapoT I Sittzranns
‘Aecounting Standard UK GAAP UK GAAP UK GAAP. UK GAAP.
penal haan 52 52 52 52
Currency GBP 000 GBP 000 GBP 000 GBP 000
Tangible Assots 4,140 4,675. 5,055 4AT4
BH Lend 8 Buiings 3,138 3,274 3,419 3,647
Freehold . . . .
Leasehold - . - -
Flraures & Fitiogs 806 1,171 1,364 668
BH Plant & vericies 56 89 134 159
Prant 56 89 134 159
Vehicles 0 0 0 0
Other Tangible Assets 140 141 138 0
Intangiole Assets 483 644 887 1,242
‘thar Mon-Curant Assets 41,156 1,156 1,156 4,156
Total FixeciNon-Curent Assets 5,779 6,475 7,098 6,872
ed lesa 1,183 1,632 1,180 1,121
186 of 212
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
Bus
UKG100044334
UKG100044334
Tab 9.2 Bulk Cheque Clearing Account
Raw MateralStocks 747 769 867 772
Work in Progress 436 863 313, 349
Finished Goods 0 0 0 0
debtors 50,296 39,196 37,823 31,357
Trade Debtors 3,090 3,159 5,044 4415
Group Loans 39,900 25,564 21,634 15,283
Directors Loans - : . -
Other Debtors: 7,306 10,473 11,145 11,659
Cash At Bank 279 490 477 1,289
Other Current Assats 0 0 0 t)
‘Total Current Assets $1,758 41,318 39,480 33,767
Total Currant Libilies 24,309 16,739 16,436 11,479
Trade Creditors 2,426 1,879 1,624 1,391
Bank Overdraft - - 4,000 4,156
Group Liaities 12,526 0 0 0
Director Lisbities 0 0 0 0
B Hire Purchasetteasing 324 448 419 231
Hire Purchase 0 - 0 ()
Leasing 324 - 419 231
Short Loane 533 3,338 213 213
Taxation 0 1,362 0 33
Dividends 0 0 0 0
‘Accruals/Deterred income, 7,500 9,609 7,942 4,705
Social SecurtyivaT 1,000 103 2,238 750
Other Curent 0 0 0 ()
Working Capital 27,449 24,579 23,044 22,288
Capital Employed 33,228 31,054 30,142 29,160
B Total Long Term Liabitities: 9,022 5,122 5,169 2,005
Group Long Term Liabilities 0 0 0 -
Director Long Term Liabilities 0 0 0 -
1 Hire Purchase/Leasing 39 211 412 89
Hive Purchase: 0 - 0 LY)
Leasing 39 - 412 89
Other Long Term Loans 6,742 2,365 1,703 1,916
AccrushiDeterred income 2,241 2,546 3,054 0
ther Long Term Liabilities i) 0 0 0
B rota Provisions 18,138 17,104 18,837 23,194
Deterod Taxation : 100 - -
Pension 18,038 17,004 18,588 22,943
Other Provisions 100 0 249 251
Minority interests 0 0 0 )
Total Net Assets 6,068 8,828 6,136 3,961
i Issued captat 100 100 100 100
Ordinary Shores 100 100 100 100
Preference Shares 0 0 0 ()
Other tesued Capital 0 0 0 0
‘Share Premium Accounts 0 0 0 0
Revaluation Reserve 0 0 0 0
Retained Eamings 5,968 8,728 6,036 3,861
other Rasarves 0 0 0 )
Total Shareholders Funds 6,068 8,828 6,136 3,961
Net Worth 5,585 8,184 5,249 2,719
t= _Cash Flow Items
We have not received any Cash Flow statements for this company
aus
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 187 of 212
Tab 9.2 Bulk Cheque Clearing Account
UKG100044334
UKGI00044334
= Profit & Loss
Date Latest Accounts: Date Latest Confirmation: Accounts Ref. Date:
31 December 2019 31 January 2021 31 December
Date Of Accounts 34/12/2019 31/12/2018 31/12/2017 31/12/2016
‘Accounting Standen UK GAAP UK GAAP UK GAAP UK GAAP
pine mete 52 52 52 52
Currency GBP 000 GBP 000 GBP 000 GBP 000
gs anceps! 36,958 38,105 36,418 35,137
Home Nation - 38,105 - -
Export - 0 - -
Cost OF Sales 29,150 28,762 28,545 27,687
peut 0 0 0 t)
ther Diet ms 0 0 0 0
Total Expenses E zi sf
Gross Prom 7,808 9,343 7,873 7,450
Operating Expenses 9,838 6,716 7,908 5,745
Operating income 2,266 0 0 0
Exceptional tems 0 0 0 0
Operating Profit 236 2,627 (35) 1,705
Other Income 0 0 0 t)
Interest Receivable 251 253 290 164
Bi imereat royale 252 245 810 585
To Bank 0 - 0 0
nie Purchase - - - -
on Leasing - - - -
Other 252 245 810 585
Exceptional tema (451) (453) 0 0
Pre Tes Piomal one) (216) 2,182 (555) 1,284
Taxation (2) 451 39 569
xtacedinary tems 0 0 0 0
nor tteests 0 0 0 0
Dividends 0 0 0 0
Net rofi(Loes) (214) 1,731 (594) 715
= Company Ratios & Disclosure Items
he re nonA ts 0 is -0.4%, this avera
mi i %, this i li Wi fi
This Company has shown a Pre-Tax profit in 2 out of the last four years reported.
Date Latest Accounts: Date Latest Confirmation: Accounts Ref. Date:
31 December 2019 341 January 2021 31 December
Date Of Accounts 34/12/2019 31/12/2018 31/12/2017 31/12/2016
Strona 2.13 247 2.40 2.94
Acid Tow 2.08 2.37 2.33 2.84
Cra Prod (ae) 30.52 30.26 50.55 45.86
Rossier nasaat (0.65) 7.03 (1.84) 4.40
ro-Tex Prot rie (0.58) 5.73 (1.52) 3.65
Borrowing Rate %: 361.04 77.74 128.54 242.92
Equity Gearing % 10.55 18.47 13.17 9.75
Denese: 121.41 31.48 40.29 73.74
‘Avarage RemunrationvEmpleyee & 34,935 32,605 32,132 31,010
Fromameteree £ (401) 4,125 (1,035) 2,173
‘Sales/Employes £ 68,695 72,032 67,944 59,453
Brean aane 792,000 914,000 644,000 476,000
“Amortization Charges 1,683,000 2,252,000 2,003,000 378,000
sis
188 of 212 Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
Tab 9.2 Bulk Cheque Clearing Account
UKG100044334
UKG100044334
Discontinued Operations 0 0 0 0
Numer OF Employees 538 529 536 591
elie seamen 18,795,000 17,248,000 17,223,000 18,327,000
Directors’ Remuneration 242,000 177,000 248,000 155,000
ay Rabon Comparinons
Date Of Accounts 31/12/2019 31/12/2018 % Change Industry
Median
Return On Capital % (0.65) 7.03 (109.25) 30.2
Pre-Tax Profit Margin % (0.58) 5.73 (110.12) 13.5
‘Credit Period (Days) 30.52 30.26 0.85 31
heey, 2.13 2.47 (13.74) 17
Borrowing Ratio % 361.04 77.74 364.42 0.0
e-file 10.55 18.47 (42.88) 52.3
Bebe Gearing % 121.41 31.48 285.74 0.0
Number OF Binelovere 538 529 1.70 NIA
‘Ava; Employee Remuneration 34,935 32,605 7.15 45,057
iepiennent’: 68,695 72,032 (4.63) 85,036
PrecTax Profemployee & (401) 4,125 (109.73) 7,280
ay Randy Compaons Sb Companion
Date Of Accounts 31/12/2019 Industry Industry Industry
Lower Median Upper
aturn On Capa % (0.65) (0.9) 30.2 113.0
Peer ONME (0.58) (0.1) 13.5 517
Credit Pri (Days) 30.52 0 31 63
eared 2.13 1.0 ALE 3.4
Borrowing Ratio 361.04 0.0 0.0 16.2
Eee eae 10.55, 9.7 52.3 814
Debt Gearing % 121.41 0.0 0.0 0.0
mene or erene te 538 NIA NIA NIA
‘Avg: Employee Remuneration & 34,935 13,200 45,057 70,587
Tamorscemiblayes 68,695 36,218 85,036 156,320
Pre-Tax Profismployee (401) (581) 7,280 31,642
‘= Previous Searches *
Semaine Last 3 Months Last 6 Months Last 12 Months
Number OF Searches 17 26 54
bio Search Type SIC Description
20/07/2021 CPU Link Enquiry MISCELLANEOUS
19/07/2021 Risk Report MISCELLANEOUS
19/07/2021 CPU Link Enquiry MISCELLANEOUS
07/07/2021 CPU Link Enquiry MISCELLANEOUS
25/06/2021 CPU Link Enquiry MISCELLANEOUS
22/06/2021 Risk Report MISCELLANEOUS
22/06/2021 CPU Link Enquiry FINANCE/CREDIT
17/06/2021 Risk Report MISCELLANEOUS
14/06/2021 CPU Link Enquiry MISCELLANEOUS
14/06/2021 Risk Report MISCELLANEOUS
14/06/2021 CPU Link Enquiry MISCELLANEOUS
13/06/2021 CPU Link Enquiry CONSULTANTS ETC
12/06/2021 CPU Link Enquiry MISC. GOODS
10/06/2021 CPU Link Enquiry MISC. GOODS
10/06/2021 CPU Link Enquiry MISCELLANEOUS
09/06/2021 Risk Report MISCELLANEOUS
27/05/2021 CPU Link Enquiry MISC. GOODS
12/05/2021 CPU Link Enquiry CONSULTANTS ETC
ous
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 189 of 212
UKG100044334
UKG100044334
Tab 9.2 Bulk Cheque Clearing Account
12/05/2021 CPU Link Enquiry FINANCE/CREDIT
14/04/2021 CPU Link Enquiry MISC. GOODS
12/04/2021 CPU Link Enquiry MISC. GOODS
01/04/2021 Risk Report MISCELLANEOUS
09/03/2021 Risk Report MISCELLANEOUS
08/03/2021 Risk Report MISCELLANEOUS
04/03/2021 CPU Link Enquiry MISC. GOODS
16/02/2021 CPU Link Enquiry MISC. GOODS
11/02/2021 CPU Link Enquiry MISC. GOODS
10/02/2021 Risk Report MISCELLANEOUS
09/02/2021 Risk Report MISCELLANEOUS
08/02/2021 CPU Link Enquiry MISCELLANEOUS
= Analyst Comments
Corporate info
Thi: mpany was incorpor: 44 1
months ago.
Tr « . ffice i
last 12 months,
Directors
Thi mpany has 2 Dire x
The last Dir rr intment wi month: .
None of the Directors may also be shareholders.
Legal & Payment
There is one CCJ registered, it is for £2,130.
The most recent CCJ was for £2,130, and was
registered 3 year: jo.
There are 4 outstanding mortgages and charges
register
Credit and Financials,
A filed withi 2
months.
The accounts were prepared by Auditors.
The return on A: Ratio is -0.4%, this i low
average for this industry sector.
The pre tax profit margin is 0.6%, this is well below his i
the last four years reported.
‘= Payment Profile i
Samay Bnd ni ini Fa Ow oe ‘Days Beyond Torn OTT
Ti company gaye et ne nny eer Month To Date Jul 2021
This company has 0 accounts pace for collection. (Aug 2021)
Number of Accounts 48 45
(Gosineee Services) - 31
[RTigurs ret day beyond orn O87)
Trend Aug 20 Sep 20 Oct 20 Nov 20 Dec 20 Jan 21 Feb 21 Mar 21 Apr 21 May 21 Jun 21 Jul 21
company, 2 2 4 6 4 4 7 14 13 8 10 18
ieee 22 24 25 28 26 30 30 35 31 32 30 31
Averages Current Last 3 Months Last 6 Months Last 12 Months
Company 18 13 12
Lecrald 3 31 32 29
aye Beyond Tes Breakdown
Payment Prtomance By Six Ot Actin For uy 2021
£1-£1,000 £1,001 - £10,000 £10,001 - £100,000 £100,000+
190 of 212 Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKGI00044334
Tab 9.2 Bulk Cheque Clearing Account
company 2 12 - -
ald 26 49 39 15
Payrt By Oferet Tre
Description DBT Accounts
Net 30 days 18 10
Net 21 days 45 2
thers Aaknown 0 3
Stn py erat fr ly 20 om 8 acount) tect toe tse no payment or month
‘Number of account placed for eoleton 2 4 eccounds) have received no peyment for or more months.
onenertry
‘This company pays ts accounts on average 18 days beyond terms.
‘The payment information we have for this company over the last 8 months available shows a consistent payment patter,
© County Court Judgments 1
t ‘ CC regi i. itis for £2,130
The most recent CCJ was for £2,130, and was
registered 3 years ago.
‘Show Ail
No. of CCJs by year Satisfied Unsatisfied
FA Lees than a year 0 0
BB 1-2years
Bi 2-syears
Bh a-ayears
Bas yoars
Bi s-eyoars
ecoco00
2coo+0
Total
None
None
‘Betwsen 2 and 3 oars
None
Judgment (1 of 1)
Registered Againat EXELA TECHNOLOGIES LIMITED
BARONSMEDE, THE AVENUE, EGHAM, SURREY, TW20 9AB
scone £2,130
Judgment Date August 2018
Som teeter ES0YX331
court NORTHAMPTON CCMCC
None
None
(= Legal Notices
A search of our databases has shown that there are no Legal Notices recorded against this company
= Mortgages, Charges and Satisfactions
Charge (1 of 6)
Date Charge Registered 4 July 2020
Charge Type MISCELLANEOUS
Latest Form Type MGo1
Date Charge Created 22 June 2020
Lender HSBC UK BANK PLC
Details CONTAINS FIXED CHARGE.CONTAINS FLOATING CHARGE.FLOATING CHARGE COVERS.
ALL THE PROPERTY OR UNDERTAKING OF THE COMPANY.CONTAINS NEGATIVE,
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 191 of 212
UKG100044334
UKG100044334
Tab 9.2 Bulk Cheque Clearing Account
PLEDGE.
Charge (2 of 6)
Date Charge Ralstered 1 July 2020
crags Type MISCELLANEOUS
Late Form Tp8 MGo1
Date charge Cresta 22 June 2020
Lander HSBC UK BANK PLC
Ontais 20 THE AVENUE, EGHAM TW20 9AU (LAND REGISTRY TITLE
JCONTAINS FIXED CHARGE. CONTAINS NEGATIVE PLEDGE.
Charge Cor)
Date Charge Registered 6 November 2019
charge Type MISCELLANEOUS
Late Form Type MGot
Date charge Cresta 31 October 2019
Lander HSBC UK BANK PLC
nts THE PROPERTY KNOWN AS 20 THE AVENUE, EGHAM, TW20 9AU, REGISTERED AT HM
LAND REGISTRY WITH TITLE NUMBERS. -CONTAINS FIXED CHARGE.CONTAINS
NEGATIVE PLEDGE.
Charge (4 0f6)
Date Charge Registered 6 November 2019
charge Type MISCELLANEOUS
Late orm Typ MGo1
Date Charge Cresta 31 October 2019
Lender HSBC UK BANK PLC
tats CONTAINS FIXED CHARGE.CONTAINS FLOATING CHARGE. FLOATING CHARGE COVERS
ALL THE PROPERTY OR UNDERTAKING OF THE COMPANY.CONTAINS NEGATIVE
PLEDGE.
Satisfied Charge (5 of 6)
ate Charge Registre 21 December 2016
cnarge Type MISCELLANEOUS
Latest Fm Type MGo2
Date Charge Crea 12 December 2016
Lander LLOYDS BANK PLC
Date Fly Sates 6 November 2019
Ona THE PROPERTY KNOWN AS BARONSMEDE, 20 THE AVENUE, EGHAM, SURREY, TW20
IG A FREEHOLD INTEREST TO BE GRANTED OUT OF FREEHOLD TITLE NUMBER
AS SHOWN EDGED RED ON THE PLAN ATTACHED TO THE LEGAL
CHARGE.CONTAINS FIXED CHARGE.CONTAINS FLOATING CHARGE.CONTAINS
NEGATIVE PLEDGE.
Satisfied Charge (6 of 6)
Date Charge Reiteres 12 May 2012
haroe Type DEBENTURE
Latest Foo Type mGo2
Date Charge Created 41 May 2012
ender LLOYDS TSB BANK PLC
Date Fully Stiied 6 November 2019
Secned On ALL MONIES DUE OR TO BECOME DUE FROM THE COMPANY TO THE CHARGEE ON ANY
ACCOUNT WHATSOEVER
Datate. FIXED AND FLOATING CHARGE OVER THE UNDERTAKING AND ALL PROPERTY AND
ASSETS PRESENT AND FUTURE, INCLUDING GOODWILL, BOOK DEBTS, UNCALLED
CAPITAL, BUILDINGS, FIXTURES, FIXED PLANT & MACHINERY
‘= Consumer Credit Licences (applicable to 31st March 2014)
ccL (1 of 1)
Licence Number 00497626
Dates 13 January 2001
Licenses BANCTEC LIMITED
censee Ares JARMAN HOUSE, MATHISEN WAY, POYLE ROAD, COLNBROOK, BERKSHIRE SL3 0
estegeies
192 of 212 Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
Tab 9.2 Bulk Cheque Clearing Account
c
‘= Company Identification Details
is C Ic
EXELA TECHNOLOGIES LIMITED
Company Name
Registered Number
Legal Form
Date Incorporated
Age of Company
Issued Capital (Returns)
Registered Office
Trading Address
Telephone Number
Website *
SIC Codes (1980)
SIC Description (1980)
SIC Codes (1992)
SIC Description (1992)
Principal Activities
Previous Names
Previous Registered Office
Accounts Type
Accounts Ref. Date
Date Latest Accounts
Date Latest Confirmation
Auditor/Accountant
Bankers
01283512
Private Limited
27 October 1976
44 years 10 months
GBP 100,000
BARONSMEDE THE AVENUE, EGHAM TW20 9AB
2aman House, Mathisen Way, Colnbrook, SLOUGH, Berkshire SL3 OHF
www.bank ik
8394, 3302
COMPUTER SERVICES
7260
OTHER COMPUTER RELATED ACTIVITIES
PROVIDING BUSINESS PROCESS OUTSOURCING SEVICES
BANCTEC LIMITED (until 07 March 2018)
OCR SCANDATA LIMITED (until 25 January 1989)
DUKEHURST LIMITED (until 31 December 1977)
JARMAN HOUSE, MATHISEN WAY,POYLE ROAD COLNBROOK, SLOUGH SL3 OHF (until
02 May 2017)
JARMAN HOUSE THE HIGHWAYS, MATHISEN WAY, COLNBROOK SLOUGH, BERKSHIRE
SL3 OHF (until 26 April 2001)
SCANDATA HOUSE, HORTON ROAD, COLNBROOK, SLOUGH SL3 ODR (until 27 April 1999)
POYLE AERO CENTRE, HORTON ROAD COLNBROOK, SLOUGH, SL3 ODR (until
08 March 1988)
Full Accounts
31 December
31 December 2019
31 January 2021
KPMG LLP
NATIONAL WESTMINSTER BANK PLC
25 KING STREET, TWICKENHAM, MIDDLESEX TW1 3SU
‘= Corporate Structure
Parent Company
Unimate Parent Company
UK Direct Subsidiaries
BTC INTERNATIONAL HOLDINGS INC
EXELA TECHNOLOGIES INC
COMPUTER ENTRY SYSTEMS LIMITED (01381762) - Dissolved/Liquidated
IMAGESOLVE INTERNATIONAL LIMITED (02590898) - Dissolved/Liquidated
SDS APPLICATIONS LIMITED oh
‘= Share Capital Structure
Share Class
ORD
Total Issued Capital
Lite Sh
Nominal Value ‘Currency Number of Shares Total Value Voting Rights % Total Value
Issued Issued
1.00 cor 100,000 100,000 ve 100.0
oer 100,000 100,000 100.0
‘enue Sir Cpt sale formation on 301202 rom Conematon Sttent
5 Detailed Shareholders
‘Shareholder Name and
Address
BTC ORD
INTERNATIONAL,
HOLDINGS INC.
Share Class Nominal Value Number of Shares. Total Value Currency %of Share Class — % Total Issued
Held Capital
1.00 100,000 100,000 oer 100.0 100.0
PS taooe starhoina ety hl hy two or mere nis. Jot shareholders, win a share clas, share a unguesirsolngnuber. The ako payed he rows ar upd for ach ont share sd rep hoot ves. hy do
10/1s
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 193 of 212
UKG100044334
UKGI00044334
Tab 9.2 Bulk Cheque Clearing Account
ot ned to be cembined cle the jit holdg,
'© Current Directors
is Ci h irec'
T Di 7 5
None of the Directors may also be shareholders.
Name MR JAYMIN CHHAYA
Address
Nationality
Occupation CHARTERED ACCOUNTANT
Date Appointed 25 May 2016
Name
Address {
Nationality 4
Occupation COMPANY EXECUTIVE
Date Appointed 15 March 2021
‘5 Previous Directors
Name GUY HARRIS
Address
Date Of Birth
Occupation
Date Appointed 1 March 1999
Date Resigned 6 October 2000
Name MR PETER J CANNAN
Address
Date Of Birth
Occupation
Date Appointed 16 February 2000
Date Resigned 12 October 2000
Name MR MARK DONALD FAIRCHILD
Address
Date Of Birth
Nationality i -
Occupation PRESIDENT, BANCTEC GROUP LLC
Date Appointed 4 July 2014
Date Resigned 20 September 2016
GRO
Name
Address
Date Of Birth
Nationality
Occupation
Date Appointed 27 September 2000
Date Resigned 31 December 2001
Name
Address
Date Of Birth
Nationality . sa
Occupation CORPORATION EXECUTIVE
Date Appointed 27 September 2000
ais
194 of 212 Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
Tab 9.2 Bulk Cheque Clearing Account
Date Resigned
Name
Address
Date Of Birth
Nationality
Occupation
Date Appointed
Date Resigned
Name
Address
Date Of Birth
Nationality
Occupation
Date Appointed
Date Resigned
Name
Address
Date Of Birth
Nationality
Occupation
Date Appointed
Date Resigned
Name
Address
Date Of Birth
Nationality
Occupation
Appointed Prior To
Date Resigned
Name
Address
Date Of Birth
Nationality
Occupation
Date Appointed
Date Resigned
Name
Address
Date Of Birth
Nationality
Occupation
Date Appointed
Date Resigned
Name
Address
Date Of Birth
Nationality
UKG100044334
UKG100044334
9 August 2001
BUSINESS MANAGER
20 November 2000
12 June 2014
26 April 2004
28 February 2005
CEO BANCTEC INC
26 April 2004
30 September 2004
‘BUSINESS EXECUTIVE
31 January 1991
30 June 2004
@
A
Oo
'CEO'BANCTEC ING”
18 November 2004
4 July 2014
"CFO BANCTEC INC
28 February 2005
4 July 2014
TEPHEN JOHN DOWNEY
Q@
A
Oo
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 195 of 212
UKG100044334
UKG100044334
Tab 9.2 Bulk Cheque Clearing Account
Occupation
Date Appointed
Date Resigned
Name
Address
Date Of Birth
Nationality
Occupation
Date Appointed
Date Resigned
Name
Address
Date Of Birth
Nationality
Occupation
Date Appointed
Date Resigned
Name
Address
Date Of Birth
Occupation
Appointed Prior To
Date Resigned
Name
Address
Date Of Birth
Nationality
Occupation
Appointed Prior To
Date Resigned
Name
Address
Date Of Birth
Nationality
Appointed Prior To
Resigned Prior To
Name
Address
Date Of Birth
Nationality
Occupation
Appointed Prior To
Date Resigned
Name
Address
Date Of Birth
Nationality
Occupation
196 of 212
MANAGING DIRECTOR
4 July 2005
4 June 2021
MANAGING DIRECTOR
4 July 2014
20 September 2016
4 July 2014
29 April 2016
BUSINESS EXECUTIVE
16 January 1989
15 February 2000
“BUSINESS EXECUTIVE
16 January 1989
22 June 2000
“6 Yanuary 1989
16 January 1989
BUSINESS EXECUTIVE
31 January 1991
30 June 2004
MR GEORGE W MAYLAND
I GRO
BUSINESS EXECUTIVE
13s
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
Tab 9.2 Bulk Cheque Clearing Account
Appointed Prior To 31 January 1991
Date Resigned 30 June 1992
I Company Secretary
Name
Address
Date Appointed
= Previous Company Secretaries
Name MR PETER J CANNAN
Address H GRO
Date Appointed ry
Date Resigned 12 October 2000
Name
Address u
Date Appointed 27 September 2000
Resigned Prior To 31 January 2002
Name ANN CASSERLY MCCAIG
Address f
Date Appointed 1 July 2005
Date Resigned 4 July 2014
Name BRIAN ROBERT STONE
Address
Date Appointed 30 June 2004
Date Resigned 28 February 2005
Name MR COLIN JAMES CUMMING JARMAN
Address r -
Date Appointed “T3 Febiiaiy 20077
Resigned Prior To 31 January 2002
Name
Address f -
Appointed Prior To 16 January 1989
Date Resigned 15 February 2000
I Statutory Documents Filed at Companies House
DateDocuments To/From CRO
3 June 2021 Change Among Directors
16 March 2021 Change Among Directors
20 September 2016 Change Among Directors
25 May 2016 Change Among Directors
23 May 2016 Change Among Directors
14 July 2014 Change Among Directors
4 July 2014 Change Among Directors
47 June 2014 Change Among Directors
21 July 2005 Change Among Directors
28 June 2005 Change Among Directors
25 November 2004 Change Among Directors
7 July 2004 Change Among Directors
aaiis
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 197 of 212
UKG100044334
UKG100044334
Tab 9.2 Bulk Cheque Clearing Account
29 April 2004 Change Among Directors
28 February 2002 Change Among Directors
4 January 2002 Change Among Directors
24 November 2000 Change Among Directors
17 October 2000 Change Among Directors
23 February 2000 Change Among Directors
2 March 1999 Change Among Directors
15 November 1994 Alter Memorandum or Article
1 July 1992 Change Among Directors
16 May 1991 Change Among Directors
30 January 1990 Change Among Directors
28 February 1989 Change Among Directors
17 January 1989 Alter Memorandum or Article
4 April 1988 Change Among Directors
5 Alert Notes al
There are no Alert Notes for this Company
Laks any thr party wobelia(e ave prowdod cy fo your Convenience ard Expaian 450s Wl waar or Topvocer he Garang of Copabily of GUeh BW pany. Experian lakes Wo Teaporaiy ft anvirng Wat igh occur When
you leave ths report wa a ino ay ted party website
Report Crested On 12 August 2021 A 11:55:30 (CIXF ) Dept:00 Invoice Ret
CConyright © 2021 Experian Lis
isis
198 of 212 Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
Tab 10 Update on Annual Report and Accounts
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
Tithe: FY20/21 ARA update Meeting Date: I 28 September 2021
Tom Lee, Group Financial
Controller; ical i
Authors: Sponsor: Alisdair cameron, Group Chief
Christine Kirby, Head of Financial Inance Officer
Accounting and Controls
Input Sought: Noting
The Committee is asked to note:
i. the status of the Post Office Limited (“POL”) Group Annual Report and Accounts
(“ARA”) for the year ended 28 March 2021 (“FY20/21”);
ii. update on key items required for completion and signing of the ARA; and
iii. the plan, including timing, for completion and signing.
Previous Governance Oversight
e None
Executive Summary
The drafting of POL’s FY20/21 ARA and the corresponding external audit are both well
progressed. There are several key items which require update and completion prior to signing
the ARA. Given the government’s recent announcement that the 2021 Spending review is a
multiyear review (2022/23 to 2024/25) which will conclude on 27 October 2021 and funding
discussions regarding Overturned Historical Convictions are ongoing, the anticipated ARA
signing date of December 2021 should be feasible, assuming no significant delays to the
discussions.
We anticipate adopting a Going Concern basis for FY20/21 on the assumption appropriate
funding and support is provided by government, albeit an emphasis of matter paragraph will
likely still be required due to the reliance placed on government support and the significant
levels of estimation uncertainty and judgement included in the disclosures.
In order to enable ARA signing the following is required:
- Historical Shortfall Scheme (“HSS”) - provision currently stands a with a
corresponding asset or IR cures will be updated as at the time of signing to reflect
management's latest forecasts.
- Overturned Historical Convictions (*OHC”) — work is being performed on an appropriate
level of provisioning and disclosure with the expectation that the provision represents
managements best estimate of the future pay-out for all historical criminal convictions
whereby we judge that the conviction may be overturned. Similar to HSS in FY19/20,
we anticipate a corresponding asset for OHC will not be recognised until the following
year due to the timing of formal government funding approval. However a non-
adjusting Post Balance Sheet Event will be disclosed in the accounts and considered
within the going concern assessment.
Strictly Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 199 of 212
UKG100044334
UKG100044334
Tab 10 Update on Annual Report and Accounts
renee
- Postmaster detriment provisions — in the year, and as part of the post Group Litigation
Order activities, several policies and processes related to Postmasters (“PMs”) were
altered to ensure there is no detriment to PMs as a result. Work is underway to assess
whether provisions are required i.e. is there a legal obligation or past event which
triggers the need for a provision and can reasonable estimates be made.
- Historical pension overpayments - work is underway to assess the possible financial
impact on POL of the historical pension payment errors associated with the Royal Mail
Pension Plan. It is not anticipated that the work will be complete prior to ARA signing,
therefore assessment will be made ahead of then as to the impact on the financials and
disclosures, with updates made to the ARA accordingly.
- Impairment review — impairment review at a CGU and investment level was performed
in March 2021 with no issues noted. Individual asset reviews were performed at yearend
and have been performed throughout FY21/22. Updated reviews for all aspects are
currently ongoing and will be formally concluded in November to enable PwC to audit the
outputs. We are not currently aware of any issues to flag to ARC.
- Subsequent events - Disclosures and financials will be updated in respect of anything
coming to light ahead of signing. The two principle items to flag are:
o Telecoms sale - purchase price adjustments for the sale of the Telecoms business
have recently been agreed, enabling updates to be made to the ARA disclosures.
© Starling - expected to remain a contingent liability based on current status of the
trial and management's expectations of the outcome.
- Going Concern - detailed assessment is currently being performed based on latest
forecasts and assumptions around government funding and support, including OHC,
Network Subsidy Payment, Investments and Starling (support only). No issues to flag at
this stage however an update and supporting paper will be provided to ARC ahead of
signing. We believe an emphasis of matter paragraph should remain, given the
significant level of estimation uncertainty and the ongoing reliance on government
support for highly material liabilities.
PwC's audit of the key outstanding items is scheduled for November. The draft ARA will be
presented to ARC and Board for approval in early December. Signing is anticipated for mid-
December, prior to parliament recess on 16 December.
Questions addressed
1. What is the status of the FY20/21 ARA and associated external audit?
2. What are the key items requiring completion / update prior to signing?
3. What is the plan and timetable for completion and signing of the ARA?
Report
Status of ARA and key outstanding items
4. The financial statements and supporting notes are substantially complete and PwC have
completed phase 1 of their audit. Work is now underway by POL to prepare for finalisation
of the ARA and phase 2 of the audit.
Strictly Confidential
200 of 212 Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
Tab 10 Upd;
n Annual Report and Accounts
5. There are a small number of significant items requiring finalisation and audit signoff prior
to signing the ARA in December. These items are outlined below, along with the actions
required for completion and updates since the last ARC paper in June 2021.
6. Historical Shortfall Scheme (“HSS”) - The provision currently stands at
corresponding asset. The underlvii model_remains substanti.
that used for the PPTe?20 calculation lila
7. Overturned Historical Convictions:
a. Provision - a provision is required within the FY20/21 ARA in respect of OHC.
sset - negotiations are underway to secure government funding for the potential
future payouts. This funding is also required to support the going concern position
and therefore will need to be finalised prior to signing. Due to accounting standards
requiring an asset to be “virtually certain” to enable recognition at the balance sheet
date, no asset can be recognised in FY20/21. Recognition will be delayed until
FY21/22, which is a similar scenario to that which occurred with HSS. However, a
non-adjusting post balance sheet event will be disclosed and the asset included within
going concern considerations. The value of the asset will depend on the terms of the
agreement with government, but is anticipated to match the provision.
The decisions around making these changes and investigating the impacts
occurred in FY20/21. However for accounting purposes a determination is needed as to
whether there is an obligation and at what point is that triggered. Until progress is made
on the what and how much for each element of potential detriment it is difficult to
confirm the accounting treatment. The ARA will be updated in respect of the findings
once finalised. The work in this area is complex, with a variety of items being looked at
including:
a. Branch discrepancies where PMs were required to settle to cash
Strictly Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
Tab 10 Update on Annual Report and Accounts
—————————
b. ATM variances which the PMs made good
c. Suspended PMs who did not receive remuneration
d. Other product specific items
9. Historical pension errors - as disclosed in the FY19/20 ARA, as part of the RMPP buyout
procedures, errors have been noted in relation to payments calculations to members.
Work is underway to assess the possible financial impact on POL of these errors.
Disclosures and financial results will be updated ahead of signing, based on latest
information available at that time.
10. Impairment review - A series of impairment reviews are required per accounting
standards and as part of the subsequent events review process. These are outlined below:
a. Cash Generating Unit ("CGU”) - The Group is split into two CGU’s, POL, which
encompasses Payzone Bill Payments Limited (“PZBP”), and Post Office Management
Services Limited (“POI”), being the insurance business. The review of these is a
comparison of forecasted future cashflows vs carrying value of the assets. The
reviews were performed in March 2021 and are currently being updated based on
latest forecasted and assumptions around funding. These will be finalised and audited
in November, assuming funding discussions are finalised.
b. Investments — the investments held by POL are First Rate Exchange Services
Limited, n Payzone Bill Payments Limited. As with the CGU
assessment, comparison is made between investment held and expected future
cashflows. The reviews were performed in March 2021 and are currently being
updated based on latest forecasted and assumptions around funding. These will be
finalised and audited in November, assuming funding discussions are finalised.
c. Individual assets - impairment reviews over the assets held by the Group are
performed quarterly. As at the time of writing there are no material items identified
requiring impairment however this assessment will be updated prior to finalising the
ARA.
11. Subsequent events review - Given the time between yearend and signing it is important
to complete robust post year end reviews to identify any significant events or items which
need further disclosure or require adjustments to the financial position or performance.
As at time of writing the two key updates are:
a. Telecoms sale - purchase price adjustments for the sale of the Telecoms business
have recently been agreed. The final settlement document is due to be signed in
September after which all matters for the financial statements will be closed out. The
ARA has been updated in respect of this.
b. Starling - as the trial has been delayed until February 2022, we do not expect a
conclusion on this matter. We expect this to remain a contingent liability based on
current status of the trial and management's expectations of the outcome. This will
be updated prior to signing should any material changes occur.
12. Going concern - The going concern assessment covers a period of at least 12 months from
the date of signing the ARA. However, in line with FY19/20 a longer period will be
reviewed, covering a period up to 18months as a result of the significant future costs
associated with HSS and OHC and the likely emphasis of matter around the reliance on
government funding. A detailed review is currently underway and will be concluded in
4
Strictly Confidential
202 of 212 Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKG100044334
UKG100044334
Tab 10 Update on Annual Report and Accounts
ce
November, assuming government funding is finalised by then. The key items to be
considered as part of the review include:
a. HSS funding - this was agreed in FY20/21 and assuming no changes are made to
the agreement and / or the estimated future costs of HSS do not exceed the pre-
defined funding limits, no adverse impact should be seen on the going concern
assessment. We anticipate no issues.
b. OHC funding - negotiations are ongoing in respect of this. Funding will need to be
confirmed and be deemed sufficient i.e. have enough headroom above that of the
provisioning level, in order to enable POL to be considered a going concern.
c. Starling funding - in FY20/21 government provided assurances that funding would
be forthcoming if required. Similar assurances are required this year given its
contingent liability status.
d. Investment funding and Network Subsidy - the business forecasts assume a level
of funding in these areas and therefore the linkage between obtaining government
funding and being able to meet future forecasts, which underpin cashflows, and
therefore the going concern position, cannot be underestimated. Obtaining
appropriate government funding is therefore paramount in supporting the going
concern position. The funding round is due to conclude in October 21 and therefore
should align with the December signing timetable.
e. Forecasts - review of the strategic plan, which underpins the going concern
calculations, will be performed in order to factor in any key changes e.g. adaptions
needed off the back of funding decisions.
13. ARA front half - Governance, Risk, Environment, Remuneration and Finance & Business
Review sections have been drafted and will require minor update prior to signing. The CEO
and Chairman’s statements will be late additions, given they need to reflect the latest
views ahead of signing. Finance is working with relevant teams to ensure these are
completed and a timeline is place, see section 19. Two additional changes are being
worked on for FY20/21, being the expansion of the front half to include more around
strategy and vision, along with a rebranding of the ARA to make it more presentable to
third parties, both of which are being led by Richard Taylor and team.
14. Of the two subsidiaries, PZBP will follow the same timeframe as POL, given the reliance
on POL for funding and therefore its going concern assessment. As at the time of the
September ARC, it is anticipated the POI financial statements will have been signed.
Plan for completion and draft timetable
15. An additional ARC is being scheduled for early-December 2021. The purpose of this is to
allow PwC to present their finalised review of the FY20/21 audit and to allow management
to present their view of the above items, assessments made, conclusions drawn and the
resulting impact on the ARA. Additionally, a draft ARA will be presented for the ARC to
review and recommend to the Board for approval, subsequent to any final items being
resolved,
16. The ARA will be signed in mid-December 2021, allowing time for them to be laid before
parliament before they recess (16'" December) and subsequently submitted to Companies
House.
Strictly Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 203 of 212
UKG100044334
UKG100044334
Tab 10 Update on Annual Report and Accounts
17. For this timeline to be achieved, and by way of summary of the points above, the following
need to occur:
a. HSS provision to be updated, with corresponding adjustments and disclosures made
within the ARA.
b. OHC and PM provisions to be calculated, with corresponding adjustments and
disclosures made within the ARA.
Starling disclosures updated.
Government funding agreements to be received in respect of CCRC, Starling, NSP
and investment funding, as needed.
e. Impairment reviews to be refreshed.
Detailed going concern assessment to be performed, incorporating cashflow analysis,
funding and headroom assessments, and the impact of the myriad of items outlined
above.
g. Disclosures updated in respect of the pension scheme errors, ‘front half’ reports, any
items arising from subsequent events reviews and updates in respect of the
adjustments outlined above.
h. PwC audit and signoff on the above items.
ao
Pa
18. Draft timetable for completion of the ARA is below:
- October:
o Provision updates for HSS, OHC and where possible PM Detriment, all of which
will be reflected in the ARA at that point;
o Finalisation of Telco disclosures;
o Going concern paper and disclosures drafted;
o Impairment reviews drafted.
- November:
© Going concern and impairment finalised, following government funding and
support confirmations;
o Tax calculations updated;
co Pension disclosures updated (where necessary);
o PwC audit of new provisions (OHC and PM detriment), going concern,
impairment and tax;
co Finalisation of the front half, excluding the CEO and Chairman Statements;
o PwC review of the ARA, front half and other updates.
- December:
o ARC and Board approval of draft ARA;
Final branded version produced by Comms;
Signed by relevant parties;
Lay before parliament (prior to 16" Dec);
Send to Companies House.
°
°
°
°
Strictly Confidential
204 of 212 Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
Tab 12.2 Modern Slavery Action
POST OFFICE LIMITED
AUDIT, RISK AND COMPLIANCE COMMITTEE REPORT
UKG100044334
UKG100044334
Title: Modern Slavery Action Meeting Date: I 28'* September 2021
James Scutt, Head of Customer
. Experience, Franchise & Partnering . Amanda Jones, Retail and
Author: Andy Kingham, Franchise Sponsor: Franchise Network Director
Partnering Director
Input Sought: Noting
At Post Office ARC July 2021, the Chair asked for an update on a recent case discussed and
requested that the case be reviewed to make sure that the process was transparent.
Executive Summary
At the July 2021 ARC, Amanda Jones informed the board of an ongoing potential Modern
Slavery case involving an individual who lived above a Post Office shop. A Modern Slavery
response group had been convened.
An organisation called Unseen UK, were notified as first responders and they passed the case
on to Humberside Police.
The Police visited the branch and spoke to the potential victim. The Victim has subsequently
left the branch and moved to London.
Questions addressed
1. I What did our MS Observation find?
2. What action did we take?
Report
What did our MS Observation find?
1. A Post Office Area Manager completed a Modern Slavery observation as part of her
normal working duties. The Observation was completed while visiting Ashby (336311)
branch on 17% June 2021. The branch is located in Scunthorpe, North Lincolnshire.
2. Our MS Observation consists of 14 Yes/No questions and the Observation completed
contained two yes answers to the following questions:
e Is there any living accommodation related to the site itself, that has an entrance
directly into PO or retail areas?
« Did you observe anything else that gave you any cause for concern?
3. All other questions were answered “No”:
« Other than the retail offer alongside the Post Office, are there any other businesses
operating on the site?
«Are there any non-public facing areas attached to the site that are either rented or
leased to others, not engaged with the operation of the PO or accompanying retail?
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
1
205 of 212
UKG100044334
UKGI00044334
Tab 12.2 Modern Slavery Action
POST
OFF
« Are any non-public facing staff areas in an unacceptable state of hygiene?
« Persons being unable to leave their work environment, or having their movements
controlled?
«Persons being unable to communicate freely with others?
«Persons showing visual injury noted on more than one occasion (a trend)?
« Were you stopped from entering the back areas of the Site?
« Persons acting as if they were instructed harshly by someone else?
e Persons allowing others to speak for them when addressed directly by yourself?
« Persons displaying signs of being distrustful or nervous of your presence? (fear or
anxiety)
« Persons being "unusually" unfamiliar with the local language?
«Any Persons lack the basic training for the PO job they are doing?
What action did we take?
4. We started to progress through our investigation process:
Stage Stage Subject Investigation Timescale
@ I Observation N/A
Data is reviewed every Monday for the previous weeks
Observations. Any “Yes” flag Observations are sent to
Regional Managers for return within 5 working days. Regional
Managers return bullet points of findings and a Yes/No on
further investigation.
Upon receiving a “Yes” concern from Stage 1, Stage 2 Fact
Find document is issued to the Regional Manager for return
2 I Regional Manager Fact Find within 3 working days of the issue date, The Fact Find dives
deeper into the concerns and documents the conversation
with the Observation completer.
Upon receiving a “Yes” concern from Stage 2if itis felt
necessary and beneficial, a Stage 3 Risk indicators request
can be made to the Contracts team for return within 3
working days of the issue date.
If itis felt necessary by the Regional Manager, the MSRG Is
convened as soon as possible after the Stage 2 is complete
Observation response to “Yes”
flag(s)
3 I Risk Indicators
Modern Slavery Response Group
4 and Stage 3 Risk indicators are received back. The purpose of
(MSRG) convened the group is to support the Regional Manager who will be
making the call to the First responder organisation.
Regional Manager makes call to First Responder organisation,
5 _I Referral to First Responder supported by the MSRG. Regional Manager confirms call
organisation
es reference number to MS Coordinator.
As a First Responder organisation will not feedback,
6 I Monitor Branch Operation monitoring of the branch operation is necessary so that
action can be taken if branch operation is interrupted.
5. The Observation was picked up by our checking processes the following Monday and a
request was sent to the Regional manager for more information.
6. That request revealed the following:
« “A young male (about early 20s) lives on site and has been in the UK for less than
5 years so does not work on the Post Office side as he doesn’t have a smart ID. He
2
Confidential
206 of 212 Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKGI00044334
UKGI00044334
Tab 12.2 Modern Slavery Action
7.
10.
11.
12.
13.
always seems to bea at work working in in 1 the shop all hours. The staff used to use
upstairs as a storage area and toilet area but can no longer go upstairs as this is
his living accommodation. They were not sure if upstairs had been improved or not
but if not or only had basics improvements then it would not be an ideal living
place, very cold and damp.”
« “The Postmaster has only had the Post office for a year, and he has just sold it and
brought another one and he is going with him to the new branch. The team
comment about how many hours he works. Saying he is there all day every day.
He is quiet but looks in good health.”
Upon review of the above centrally we progressed this to our next investigation stage of
a more formal fact find with the Area Manager which gave us further information about
the potential victim:
e He lives on site and is always working, never has a day off.
* He’s very quiet, doesn’t say much, just smiles.
« He lives above the branch living accommodation which was previously a storeroom.
It is believed that this was not refitted before he moved in.
* The team have never seen him and the Postmaster communicate.
e He would have worked in the post office, however, couldn’t get a smart ID due to
the lack of years in this country.
«The postmaster is buying another office and taking him with him to work in the new
site.
The Post Office Contracts Team noted that the Postmaster, Mr Mohamed Mohamed
Ghouse (Director, AARA Foods Ltd) submitted a notice to terminate the Agreement on
the 13/04/21.
In this notice, Ghouse provided the details of an applicant for the branch - Mr Kinthusan
Thevakumar. Mr Thevakumar has been successful in his application and has been
offered the appointment. Our onboarding team received the Agreement back on 22"¢
July. The new Postmaster has not yet gone live.
The outgoing Postmasters company has not previously come across the radar of the
Contracts Team i.e. no contractual or performance issues have been flagged up to the
Contract Team from any source.
Over the past 12 months 97.7% of the required cash declarations have been completed
at the branch. Data shows that this is a deficit branch i.e. their out-payments exceed in-
payments. The branch cash is therefore controlled by Cash Management, who will
supply the branch based on transactional data and declared cash. Excess cash levels at
the branch currently give no cause for concern.
The branch appears to be run without any issues.
We convened the Modern Slavery Response Group comprising: MS Steering group chair,
Franchise Partnering Director & MS Policy owner, Head of Security, Legal, Procurement,
Risk, CSR & Communications and the Regional manager for the branch.
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21 207 of 212
UKG100044334
UKG100044334
Tab 12.2 Modern Slavery Action
14.
The group agreed that, with the knowledge we had we should report our findings to
UnseenUK, the organisation that runs the Modern Slavery helpline. The report was made
on 13" July 2021 by the Regional Manager for the branch as the person that holds the
highest level of knowledge. At this point we asked the Area Manager not to visit the
branch but to monitor BAU trading and feed-back any contact from the branch.
Next Steps & Timelines
15.
16.
17.
18.
Centrally, we have been monitoring the branch to spot any unusual patterns of trade
that might indicate an interruption in BAU operation. The Area Manager has also been
monitoring the branch locally.
First Responder (UnseenUK) policy is that they do not feed-back any updates to the
person logging the report or Post Office. On 31%* August 21 our Regional Manager
received a call from Humberside Police to clarify the information he had reported to
UnSeen. They said that they would be visiting the site but gave no details about the
activity they would undertake. The PC seemed concerned because it had been
mentioned that the Postmaster was “taking Vinny with him” when he moved from the
branch.
On a subsequent Area Manager visit, the PO branch Team told our Area Manager that
the police had visited the branch and told Vinny that he could not live above the branch
as it’s not a residential property. They also said that Vinny had suddenly now left with
his wife and moved to London and that he will now not be going to the new branch with
the Postmaster. We have called this additional information into the Modern Slavery
Helpline.
The outgoing Postmaster from Ashby is in process to buy a different Post Office and has
returned an agreement on 3" August to take over 327427 Chatburn Post Office. We will
continue to monitor this branch.
Confidential
208 of 212
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
Lz160/82-eemtuMog eouerduod = ¥SIY ‘PNY - PANN eWO 04
Z1z 40 602
UKG100044334
UKG100044334
eid pueMoy BONIUULIOD €-21 GEL
UKGI00044334
UKGI00044334
Tab 12.3 Committee Forward Plan
210 of 212 Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
UKGI00044334
UKGI00044334
Tab 12.3 Committee Forward Plan
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21
211 of 212
UKGI00044334
UKGI00044334
Tab 12.3 Committee Forward Plan
212 of 212
Post Office Limited - Audit, Risk & Compliance Committee-28/09/21