Agenda
UKGI00044335
UKG100044335
@
POST OFFICE LIMITED
Meeting: Audit, Risk & Compliance
Committee
Date: 10 July 2023
Time: 14:30 - 17:00 hrs
Location: 100 Wood Street, London, EC2V
7ER /Microsoft Teams.
Meeting Room: Birch
Present: Invited Attendees:
Simon Jeffreys (Chair)
Elliot Jacobs (NED)
Kathryn Sherratt (Finance Director, IT &
Transformation)
Simon Recaldin (Historical Matters Director): Item
3
Lorna Gratton (NED, UKGI)
Martin Roberts (Group Chief Retail Officer):Item 5
Andrew Darfoor (NED)
Mel Park (Central Operations Director): Item 5
Tan Holloway (Director of Risk and Compliance,
Post Office Financial Services): Item 6
Tom Lee (Group Financial Controller): Item 7
Regular Attendees:
Pete Marsh (Retail Operations Director): Items 8 &
9
Henry Staunton (Group Chairman)
John Bartlett (Head of Central Investigations Unit):
Item 13
Nick Read (Group CEO)
Sarah Allen (Director, PwC)
Haydn Horner (Senior Manager, PwC)
Anshu Mathur (Group Assurance Director)
Johann Appel (Director of Internal Audit and
Risk Management)
Rebecca Barker (Head of Risk)
Jonathan Hill (Group Compliance Director)
Carol Murray (Deloitte Partner)
Rachel Scarrabelotti (Company Secretary)
Marie Molloy (Senior Assistant Company
Secretary)
Apologies:
Andrew Paynter (Partner, PwC)
Ben Foat (Group General Counsel)
Alisdair Cameron (Group CFO)
Time Item Owner Action
14.30 1. Welcome & Conflicts of Interest Chair Noting
14,30 I 2. Previous Meetings
2.1 Minutes Chair Approval
(i) 16 May 2023
2.2 Action List Chair Noting
1
Strictly Confidential
POL ARC Meeting-10/07/23 1of 111
Agenda
@
POST OFFICE LIMITED
UKG100044335
UKG100044335
2of 111
2.3 Draft Risk and Compliance Committee Noting
Minutes (27 June 2023)
14.35 I 3. HMU Risks Simon Recaldin Noting
4. Risk, Compliance and Internal Audit
Updates
14.50 4.1 Risk Report & Dashboard Johann Appel/ Noting
Rebecca Barker
15.00 4.2 Compliance Report Jonathan Hill Noting
4.3 Assurance Update Anshu Mathur Noting
15.20 4.4 Internal Audit Report Johann Appel Noting
15.30 I5. Postmaster Losses Martin Roberts/ Noting
Mel Park
15.45 Break
15.50 I6. POI Deep Dive Tan Holloway Noting
16.05 I7. Year End Audit (Verbal Update) PwC /Tom Lee/ Noting
Kathryn Sherratt
16.15 I 8. Postmaster Policies Pete Marsh Approval
8.1 Postmaster Contract Performance
Policy
8.2 Postmaster Contract Suspension
Policy
8.3 Postmaster Contract Termination
Policy
8.4 Postmaster Decision Review Polic
16.25 I9. Modern Slavery Statement Pete Marsh Approval
16.30 10. Policies for Approval Jonathan Hill Approval
10.1 I Financial Crime Policy
10.2 I Anti-Bribery and Corruption Policy
10.3 I Anti-Money Laundering & Counter
Terrorism Funding Policy
16.40 I 11. I Any other business All
16.45 I 12. I External Audit to meet with ARC Members
16.55 I 13. Speak Up Report John Bartlett/ Noting
ARC Members
2
Strictly Confidential
POL ARC Meeting-10/07/23
UKG100044335
UKGI00044335
Agenda
@
POST OFFICE LIMITED
Items for Noting
These items will not be presented to the Committee and any questions should be sent to the Secretary for
submission to the author for response. Questions and answers will be recorded as appendices to the meeting
minutes.
1. Procurement Governance & Compliance Liam Carroll
2. Fraud Risk Johann Appel
3. Committee Forward Plan CoSec
Next ARC Meeting:
* Monday 24* July 2023 at 14:00 - 15:30 via Microsoft Teams.
Strictly Confidential
POL ARC Meeting-10/07/23 Sof 141
UKG100044335
UKGI00044335
Tab 2.1 Minutes of 16 May 2023
@
POST OFFICE LIMITED
MINUTES OF A MEETING OF THE AUDIT, RISK AND COMPLIANCE COMMITTEE OF
POST OFFICE LIMITED HELD ON TUESDAY 16'" MAY 2023 AT 20 FINSBURY STREET,
LONDON EC2Y 9AQ AT 09:00 AM
Present: Invited Attendees:
Simon Jeffreys (Chair) Andrew Darfoor (Observer) (AD)
Elliot Jacobs (NED) (EJ) Amanda Burton (NED, Observer) (AB)
Lorna Gratton (NED, UKGI) (LG) Rebecca Barker (Head of Risk): Item 3.1 (RB)
Tim Bennett (Senior Internal Audit Manager): Item
3.3 (TB)
Zdravko Mladenov (Group Chief Digital and
Information Officer): Items 3.3, 4 and 5 (ZM)
Matt Taylor (Head of Data Management):Item 4
(MT)
Regular Attendees: Vishal Thanki (Data Governance Lead Contractor):
Item 4 (VT)
Ben Foat (Group General Counsel) (BF) Kayleigh Dodd (Digital/Physical Records Manager):
Items 4 & 5 (KD)
Andrew Paynter (Partner, PwC) (AP) Dan Pearson (Director, PwC): Item 6 (DP)
Sarah Allen (Director, PwC) (SA) Martin Kearsley (Product Portfolio Director -
Banking, Payments and Transactional Products):
Item 6 (MK)
Anshu Mathur (Interim Group Compliance Tom Lee (Group Financial Controller): Item 6 (TL)
Director): (AM)
Johann Appel (Head of Internal Audit) (JA) Sarah Gray (Group Legal Director): Item 7 (SG)
Jonathan Hill (Group Compliance Director)(JH)
Carol Murray (Deloitte Partner) (CM)
Marie Molloy (Senior Assistant Company
Secretary) (MM)
Apologies:
Henry Staunton (Chairman, POL) (HS)
Nick Read (Group Chief Executive Officer) (NR)
Alisdair Cameron (Group Chief Finance Officer)
(Ac)
Action
1. Welcome and Conflicts of Interest
11 A quorum being present, the Chair opened the meeting. LG's first ARC as a
Director was noted. The ARC acknowledged the attendance of AD and AB as
observers at this meeting. As observers, the ARC is aware that all contributions
made by AD and AB to this meeting are observations only, and do not constitute
advice, recommendations, directions or instructions. The ARC confirms that it
will take due care not to be unduly influenced solely by contributions made by
AD and AB and that it will reach its conclusion based on a balanced and diligent
assessment of all of the facts available to it.
STRICTLY CONFIDENTIAL 1
4of 111 POL ARC Meeting-10/07/23
Tab 2.1 Minutes of 16 May 2023
UKGI00044335
UKGI00044335
1.2
EJ reminded the meeting of his conflict of interest as a Postmaster. The Directors
declared that they had no new conflicts of interest in the matters to be considered
at the meeting in accordance with the requirements of section 177 of the
Companies Act 2006 and the Company’s Articles of Association.
Previous Meetings
The minutes of the Audit, Risk and Compliance Committee meeting held on 28"
March 2023 were APPROVED and AUTHORISED for signature by the Chair.
In relation to stock control and stamps, EJ had become aware that some
Postmasters were having stamp stock applied onto the system without being
counted, which may also impact Postmaster losses. ACTION: Martin Roberts to
clarify the impact of the Post Office centrally e logging onto the system adjusting
Postmaster stock.
Action deadlines being pushed back, particularly in relation to the Self-service
action and the associated impact on progress was highlighted by EJ. ACTION:
Progress on the self-service action to be presented at the July ARC.
Progress against the completion of actions as shown on the action log was
NOTED.
Martin
Roberts
zM/
Martin
Roberts
2.3
BF had Chaired the RCC on 9" May and highlighted key points. There were
concerns regarding controls over contracts and a paper would come to ARC in
July regarding the Contract Management Framework. The Chair asked if all
contracts were involved. BF confirmed it was upstream and downstream; to third
parties POL were providing services to and receiving services from, but that
retail/Postmaster contracts were not encompassed and employment contracts
were processed by the People Team. BF observed that when Postmaster contracts
were requested there was a delay in obtaining them.
BF had also flagged to the GE, following the RCC, the overarching themes around
governance and culture. ACTION: A governance paper to the June RCC/July ARC.
In terms of culture, BF considered that there was progress but critical steps were
required to be executed at pace and it was not moving quickly enough. BF had
flagged that an Ethics Director had yet to be appointed. EJ considered that the
office move to Wood Street was an opportune time for a cultural shift.
AB asked if there was a clear understanding of the POL culture now and where it
wanted to be. The Chair also considered the measuring/auditing of culture.
ACTION: The Chair to discuss POL culture, in the context of the Board Agenda
with the POL Board Chair.
LG asked if governance and culture would be covered in the 6 June Board. LG was
also interested in CIJ/IDG work against implementation being covered ACTION:
BF to advise the ARC members if these items would be covered at Board meeting
on 6 June.
The draft minutes of the Risk and Compliance Committee held on 9" May 2023
were NOTED.
Rachel
Scarrabe
-lotti
Chair
BF
Risk, Compliance and Internal Audit Updates
Risk Report & Dashboard
STRICTLY CONFIDENTIAL
POL ARC Meeting-10/07/23
5 of 111
Tab 2.1 Minutes of 16 May 2023
UKG100044335
UKG100044335
6 of 111
RB joined the meeting.
JA acknowledged that the paper did not contain considerable detail about the
top risks and the ‘road to green’. In appendix 1 all risks outside of appetite and
extended appetite were documented. The mitigations being planned would be
expanded upon for the July ARC and would form part of the Deep Dives.
JA referenced Appendix 2 which contained the forward plan for the Deep Dives.
The risks outside of appetite or tolerance and where there were challenges with
treatment of the risk/timelines would be highlighted to the ARC. The Chair
clarified if progress of risk mitigations against the committed timetables would
be included. JA confirmed that it would be at a high level regarding whether it
was on track or not.
JA highlighted one new risk that exceeded appetite: Retail - inability to identify,
investigate and resolve branch account discrepancies. The amount of
Postmaster losses were increasing month on month and the risk was outside
appetite and extended appetite. The Chair asked who owned this area. JA
confirmed it was Martin Roberts, Group Chief Retail Officer, and Mel Park,
Central Operations Director.
EJ considered this issue was complex and did not just involve the retail button,
which there was debate about removing in NBIT. EJ had scheduled a meeting
with Mel Park to work to resolve issues within his own branches and considered
where there were issues disputed it was about understanding why they were not
resolved.
BF was aware that when the dispute button was pressed Postmasters were
required to contact the centre, which often did not happen. EJ highlighted that
the helpdesk was only open during the working day which was when
Postmasters were busy with customers. The Chair asked how this was being
dealt with. BF confirmed that Martin and Mel had accountability for this and
highlighted the balance of managing public money. ACTION: Martin Roberts
and Mel Park to present a paper to ARC on Postmaster Losses and Investigation.
AD observed the overdue audit actions and asked if this was because deadlines
were unrealistic or there were challenges having led to them being pushed out.
JA confirmed that there was generally good completion of audit actions but this
month had been the worst since November 2022. There had been slippage with
some SPM actions due to the inability to recruit the right people. One or two
actions had been ambitious and where there were legitimate reasons JA granted
an extension.
The Chair asked how the actions were followed up to ensure completion. JA
confirmed there was escalation to GE sponsors. BF confirmed the second line
oversight at RCC. ACTION: JA to highlight to ARC overdue audit actions that
are not receiving timely or effective attention and reasons behind this.
AB asked about implications for the rollout of the new IT system. EJ was aware
this was to be discussed at Board on 6 June. JA confirmed that apart from the
new risk moving outside appetite and extended appetite, the other risks were
stable. The previous ARC Chair had escalated the top three risks to BEIS ARC
Chair. The Chair was keen to continue the momentum and continue to escalate
as necessary in order to bring about change.
Martin
Roberts/
Mel Park
JA
STRICTLY CONFIDENTIAL
POL ARC Meeting-10/07/23
Tab 2.1 Minutes of 16 May 2023
@
POST OFFICE LIMITED
UKG100044335
UKGI00044335
LG asked about JA‘s assessment of a view of a credible plan, progress against
mitigations and if implementation of mitigations gave a credible reduction in
risk. JA considered that this would be completed in the Deep Dives.
RB requested approval of the people risk appetite and tolerance levels, which
the committee approved. EJ discussed the link to Postmaster risk with the
Postmaster survey results being worse than last year’s. JA confirmed that the
Risk appetite statements would enable the risks to be assessed and reported
against.
The ARC:
« NOTED the status of key intermediate risks and
« APPROVED the proposed appetite & tolerance levels for People risks.
RB left the meeting.
3.2
Group Compliance Update
JH introduced the Group Compliance Update and highlighted that hard copy
data management and control continued to remain a significant risk. There had
been a significant increase in FOI/DSAR requests. From the nature of the
requests, it was evident that these increases are being driven by the Inquiry
and Compensation Schemes.
Historical Matters Assurance update.
AM confirmed that CIJ assurance fieldwork has now been completed with the
HI) assurance fieldwork completion quickly following. AM reported that
culture/behaviours were a common thematic. An assurance update would be
provided at July ARC.
The ARC NOTED the Group Compliance and Historical Matters Assurance
update.
3.3
2M and TB entered the meeting
Internal Audit Report
JA introduced the Internal Audit Report and advised that seven POL audits and
one POI audit were completed in the current reporting cycle. The final two
audits are being delayed due to challenges in getting information from third
parties.
EJ discussed the SPM — R2 Readiness & Governance Internal Audit and slippage
to R2 and R3 and implications on Fujitsu, the freeze on technology and self-
service. JA highlighted his biggest concern, being that governance over the SPM
technology programme is still paused.
The Chair asked for thoughts on what was missing or should be in place and the
steps to good governance. JA suggested independent oversight of how the SPM
programme was managed, dealt with challenges and the pace of decision
making. TB discussed a steering group with a linked assurance function
alongside. JA noted the progress made on the technical assurance but an
overarching assurance plan was required.
STRICTLY CONFIDENTIAL
POL ARC Meeting-10/07/23
7 of 111
UKG100044335
UKG100044335
Tab 2.1 Minutes of 16 May 2023
The meeting discussed the lines of defence. The work of the Improvement
Development Group was outlined by BF.
LG enquired if specialists were required and JA outlined the Internal Audit
programme which Deloitte helped to deliver. LG considered conversations with
the department regarding assurance running in parallel/their requirements. CM
outlined assistance that Deloitte could provide in relation to their branded third
line of defence reporting, should they be approached to do so.
ZM confirmed that a paper would be presented to 6 June Board detailing the
timelines and assurance around the technology and retail components.
Automation was being considered independently of NBIT/Horizon. Nick Read
and ZM had met with Fujitsu and the cost impact would be tabled for the Board
meeting. EJ was conscious of the risks around Belfast. ZM confirmed work was
in flight to take over from Fujitsu part of Belfast to reduce financial expenditure.
The Chair asked that the paper to the Board be open on the funding
requirements. ZM confirmed that it would be explicit on the funding
requirements.
LG discussed the Legal Costs Internal Audit Report and the lack of a formal
contract with expenditure averaging £2m per month. The reasons for difficulties
in forecasting were outlined by BF and strict controls would be in place with the
new law firm in the future and lessons had been learned
LG asked about BAU and change spend. ACTION: BF to check with Tim BF
McInnes, Strategy and Transformation Director, whether the BAU and change
process were mirrored and report back to ARC.
The ARC NOTED the progress being made with delivery of the Internal Audit
programme and completion of audit actions.
TB left the meeting
4. Data Governance Framework Approval
MT, VT & KD entered the meeting.
ZM outlined the Data Governance Framework (DGF) which was anchored on an
industry standard customised for the requirements of POL. The framework set
the criteria for the basis to achieve a ‘level 2’ maturity for all areas of the
organisation.
The Chair asked how the appropriate outturn could be ensured. ZM
acknowledged that the framework was only as good as the people who
execute/implement it. ZM would have liked to pursue a more aggressive
timetable but this was constrained by BAU reasons.
The Chair explored the reasons and ZM confirmed it was the knowledge
required to address the various issues. The bandwidth of the organisation had
led to the aspiration to achieve Level 2 maturity by February 2024.
EJ discussed the impact of home working on data governance. ZM confirmed
there was guidance provided and acknowledged it was a challenge for all
STRICTLY CONFIDENTIAL 5
8 of 111 POL ARC Meeting-10/07/23
Tab 2.1 Minutes of 16 May 2023
POST OFFICE LIMITED
UKGI00044335
UKG100044335
organisations with remote working. ACTION: re-iteration of training on data
management.
The ARC APPROVED the Data Governance Framework.
MT, VT & KD left the meeting.
Kayleigh
Dodd
Technical Assurance plan for SPM (Verbal Update)
ZM was aware that all components needed to be assured and an integrated plan
was required. AM now had accountability for co-ordinating all the different
components.
In relation to technical assurance, Mazars were finalising their recommendations
which would be detailed at the July ARC. A missing component was external
assurance recommendations to have a set of criteria for ‘go live’ and ZM
confirmed that Mazars had been tasked to work on this element.
The Chair requested a separate meeting was scheduled to go through the
Integrated Assurance Plan for SPM in an appropriate level of detail. ACTION:
AM to schedule meeting with ARC members once the integrated Assurance Plan
for SPM has been developed.
The ARC NOTED the verbal update on the Technical Assurance plan for SPM.
AM
Outcome from the Banking Framework assurance engagement
DP, MK and TL entered the meeting
AP discussed the audit plan and the ARA update that would be provided to ARC
at the additional meeting on 21* June.
AP introduced the paper which was non audit work other than closely related. It
considered whether POL had complied with the banking framework and was
binary as in yes or no POL were in compliance or not.
MK confirmed that the report had been issued to the banks which had signed
up. Phase 1 had highlighted shared logins as an issue. MK advised that the
Banks were looking for POL to mirror their own compliance requirements.
The Chair asked about the degree of seriousness of the assurance engagement
outcome. DP explained that the qualified conclusion, which would be rare in a
financial audit, was more common in costs and process auditing. In 90% of the
300 clauses POL had received a clean opinion. There was an intention that an
updated piece of work would be undertaken in the future and POL were keen to
remediate issues identified.
LG asked about the feedback from the Banks to the report, particularly in the
context of re-negotiation. MK advised there had been no feedback as yet from
the Banks and MK had service meetings individually with each, since publication
of the report six or seven weeks ago.
MK outlined the shared login challenge and this was being discussed at GE to
take systematic action. E) discussed building in biometrics and MK confirmed
STRICTLY CONFIDENTIAL
POL ARC Meeting-10/07/23
9of 111
Tab 2.1 Minutes of 16 May 2023
@
POST OFFICE LIMITED
UKG100044335
UKGI00044335
10 of 114
this would not be in NBIT, they would be working to enforce contractual
commitments on Postmasters, rather than physical system prevention.
EJ considered the 3 x volume of cash Postmasters were now working with, and
anticipated the error rate and losses would increase, particularly as there was
no automation and the associated risk. MK outlined the steps being undertaken
with Tele Cash registers and 500 enhancements that Cash Access UK were
funding. There was also direct Post Office investment, along with Banks
investing for Banking Framework 4.
LC considered how POL were focusing on the volume/value of losses. JA
confirmed that data analytics software had been stood up and the algorithms
were being refined to better target and identify contributors to established
losses.
The ARC NOTED the Outcome from the Banking Framework assurance
engagement.
DP, MK and TL left the meeting
7. Policies for Approval
SG entered the meeting.
71 Internal Audit Charter.
The ARC APPROVED the Internal Audit Charter.
7.2 Business Continuity Policy
The ARC APPROVED the Business Continuity Policy.
7.3 Speak Up Policy
JH highlighted that the previous Speak up Champion had left POL. A new NED
would be approached to fill this role.
EJ discussed Speak up within the Postmaster community, in addition to internal
staff. BF highlighted the operational improvements made and was mindful of the
communications and genuine engagement with Postmasters. AD asked about
other mechanisms Postmasters could utilise to feedback. BF confirmed this
could be via area managers or they contact the CEO; there were mechanisms in
place and it could come in many forms.
AB discussed culture and a lack of trust which could result in people not
speaking up and the importance of the tone and language used. SG outlined the
outreach programme for area managers to increase awareness of how to Speak
Up and the protections around doing so. Also, that by highlighting speak up
successes which had led to positive change people could see that it was the
right thing to do.
AD asked about the data points and BF confirmed there was a monthly
dashboard that was viewed at GE.
The ARC APPROVED the Speak Up Policy.
STRICTLY CONFIDENTIAL
POL ARC Meeting-10/07/23
Tab 2.1 Minutes of 16 May 2023
PO!
POST OFFICE LIMITED
UKGI00044335
UKG100044335
7.4
Group Legal Policy
The ARC APPROVED the Group Legal Policy
SG left the meeting.
Committee Evaluation
MM outlined that across all evaluation areas the effectiveness of ARC was rated
as ‘very good’ which is broadly in line with prior year ratings. It was
acknowledged that the NED membership of ARC had changed since the
evaluation questionnaire was undertaken. The four actions from the previous
Committee Evaluation 2021/22 were completed.
The proposed the actions to address the areas of relative lower scores and
constructive feedback were:
« ARC coverage to ensure all key risk areas are reviewed to provide a
holistic view of the control and operational risk environments within POL,
particularly those exposed legal and regulatory environments;
* Strict enforcement of templates and ensuring papers in the reading room
are appropriately cross referenced and or summarised in the main pack
« Enhance coverage of lines of defence to ensure this is adequate to provide
early warning/lead indicators;
« Consideration of whether balanced scorecard regarding Postmaster
detriment should be developed;
« The Committee to formally review the ‘ Forward Plan’ on a 6 monthly basis
to ensure this remains in line with the risk profile of POL.
EJ requested that when reports were pushed back to later meetings, the
presenter still attended ARC to provide an explanation.
LG outlined that she considered papers should be more action focused and
include whether what should be being done was actually being undertaken. The
Chair agreed and had a preference for more analysis, interpretation and
recommendations in the papers.
AD had seen a one page top sheet on issues the committee should consider
work well at other organisations and the Chair was supportive of this.
ACTION: The additional member feedback to be incorporated into 2022/23
Committee actions to address points raised for improvement.
The ARC NOTED and DISCUSSED the ARC Committee Evaluation for 2022/23.
AOB
AB had observed there were many programmes/projects running in the
organisation and asked about a hierarchy of projects/project review to focus on
critical projects. BF acknowledged that additions were made to projects at GE
but that projects were rarely stopped. EJ would also find it helpful to know
where projects sat in terms of Historical/BAU and future timelines. ACTION: A
report back to ARC on the list of projects, with the GE having reviewed in terms
of criticality to the organisation.
There being no further business, the meeting was closed at 10.57.
Tim
McInnes
STRICTLY CONFIDENTIAL
POL ARC Meeting-10/07/23
11 0f 141
Tab 2.1 Minutes of 16 May 2023
@
POST OFFICE LIMITED
UKG100044335
UKGI00044335
10.
Private session with External Audit
AP and SA met with the Chair and LG. EJ apologised as he had a commitment
and could not stay for this part of the ARC.
AD and AB attended as observers.
MM was present to capture notes of the meeting.
11.
Items for Noting
11.1
The following papers were circulated to the Committee prior to the meeting, but
were not discussed at its meeting and were NOTED by the Committee:
- Procurement Governance & Compliance
- Post Office Insurance ARC update
- Payment Practices Reporting Compliance
- Strategic Partner Risk & Failure Monitoring Paper & Dashboard
- Committee Forward Plan
12 of 111
STRICTLY CONFIDENTIAL
POL ARC Meeting-10/07/23
UKG100044335
UKG100044335
Tab 2.2 Action List
POL ARC Meeting- 10/07/23 13 of 111
UKG100044335
UKG100044335
Tab 2.2 Action List
14 of 111 POL ARC Meeting- 10/07/23
UKG100044335
UKGI00044335
Tab 2.3 Draft Risk and Compliance Committee Minutes (27 June 2023)
@
POST OFFICE LIMITED
MINUTES OF A MEETING OF THE RISK AND COMPLIANCE COMMITTEE OF POST OFFICE
LIMITED HELD ON TUESDAY 27 JUNE 2023 AT 10:30 AT WOOD STREET
Present:
Zdravko Mladenov (Group Chief Digital and
Information Officer) Chair in the absence of Alisdair
Cameron
I Attendees:
Simon Recaldin (Historical Matters Director): Item
2 (SR)
Max Jacobi (Finance Director - Commercial) (MJ)
Kathryn Sherratt (Finance Director - Finance IT &
Transformation) on behalf of Alisdair Cameron
(Group Chief Finance Officer) (KS)
Mark Underwood (LCG Operations Director): Item
3 (MU)
Liam Carroll (Procurement Director): Item 3 (LC)
Tracy Marshall (Retail Engagement Director) (TM)
Juliet Lang (Leadership and Culture Director) on
behalf of Jane Davies (Group Chief People Officer)
(3L)
Mel Park (Central Operations Director): Item 4
(MP)
David Southall (Head of Contract and
Deployment): Item 6 & 7 (DS)
Sarah Gray (Group Legal Director) on behalf of Ben
Foat (Group General Counsel) (SG)
Matt Taylor (Head of Data Management):
Item 8 (MT)
Apologies
Kayleigh Dodd (Digital/Physical Records Manager):
Item 8 (KD)
Ben Foat (Group General Counsel)
Vishal Thanki (Data Governance Lead Contractor):
Item 8 (VT)
Alisdair Cameron (Chair)
Jane Davies (Group Chief People Officer)
Tom Lee (Group Financial Controller)
Regular Attendees:
Johann Appel (Director of Internal Audit & Risk)
(JA)
Ian Holloway (Director of Risk and Compliance):
Item 10 (IH)
Dean Bessell (Interim CISO for Retail and
Controls): Items 11 & 12 (DB)
Simon Oldnall (Horizon and GLO IT Director): Item
12 (SO)
Peter Mitchell (Group Treasurer): Item 13 (PM)
Andy Bear (Lockton Insurance Brokers): Item 13
(AB)
Rebecca Barker (Head of Risk) (RB)
Jonathan Hill (Group Compliance Director) (JH)
Anshu Mathur (Group Assurance Director) (AM)
Daniel Ward (Head of Financial and Technical
Accounting) on behalf of Tom Lee (DW)
Marie Molloy (Senior Assistant Company Secretary)
(MM)
1. Welcome and Conflicts of Interest
Action
Mladenov to Chair this RCC meeting only.
read. No conflicts of interest were declared.
In the absence of Alisdair Cameron, the members nominated Zdravko
The Chair opened the meeting and advised that all papers would be taken as
2. HMU Risks
SR entered the meeting.
Strictly Confidential
POL ARC Meeting-10/07/23
Page 1 of 11
15 of 111
Tab 2.3 Draft Risk and Compliance Committee Minutes (27 June 2023)
UKG100044335
UKG100044335
The paper was taken as read. SR confirmed that the term ‘historic’ was being
dropped. SR advised that there were two issues that would be reported to ARC
that were not in the paper to RCC.
The first related to the risk profile in the operational team; SR had challenged
the calculation of a payment when it had come to him for sign off. JA asked if
this was in relation to Pot A suspension payments and SR confirmed that it was
and that this showed that the first line controls worked ie they had spotted an
issue. SR had requested Group assurance to perform a review. AM advised
that this review was prioritised and it was now completed and it affirmed SR’s
concerns and that significant design gaps were identified, rendering the control
environment for suspension payments unsatisfactory.
SR discussed the refresher training that would be undertaken and how the
operational issue occurred as it was between the pre offer and post offer
processes. This would be mapped out and communicated.
The second issue that was to be reported was in respect of the non-payment of
tax and NI contributions to HMRC in relation to circa 100 Interim Payments
made in the HSS. SR was working with the POL tax team on this matter. JA
enquired if there was sums to be recovered from claimants and SR confirmed
there was not.
ACTION: AM requested that SR bring out in the paper for July ARC whether,
based on these two incidents, he assessed HMU was operating within tolerance
and if HMU had the appropriate metrics to support the monitoring and
assessment of their control environment.
The RCC APPROVED the HMU Risks update paper for onward submission to
the ARC.
SR left the meeting.
SR
Contract Management Framework (Verbal Update)
LC and MU entered the meeting.
LC outlined that the Contract Management Framework (CMF) was owned by the
legal team but the business units implemented it. However, the business units
were failing to comply with the CMF. There was training available and LC
considered the issue with the failure to comply was due to prioritisation/time
constraints. SG agreed with LC’s assessment.
LC advised that of the 2,000 contracts in Web 3, 45% contained wrong
information which made the reporting from Web 3 ineffective.
LC, SG and MU were taking a paper for GE in August 2023 for decision on
options regarding the way forward, including whether the issues should be
‘fixed forward’ or ‘fixed back’ and if there should be concentration of specific
tiers of contracts. The Chair requested the paper to GE articulated ‘quick wins’
that could be identified with little or no cost/resources and how progress would
be measured.
MJ outlined the similarity to work undertaken on the data framework to embed
in BAU and roles, with performance linked to objectives. KS considered the role
of ‘early warning’ systems in the CMF. JA discussed the different roles of the
first line and the resource/skill set in that body. JA considered that the purchase
16 of 111
Strictly Confidential Page 2 of 11
POL ARC Meeting-10/07/23
UKG100044335
UKG100044335
Tab 2.3 Draft Risk and Compliance Committee Minutes (27 June 2023)
to pay audit report contained overarching controls that could be implemented
to assist in the CMF arena.
ACTION: RCC and ARC were to receive a progress update on the CMF in LC/MU/
September 2023. sG
The RCC NOTED the Contract Management Framework Verbal Update.
LC and MU left the meeting.
4. Postmaster Losses
MP entered the meeting.
MP outlined that the process was being looked at end to end with
improvements to each element of the process and a newly formed branch
discrepancy improvement programme. There was an action plan with
accountability for delivery of step change improvement. MP discussed the
support to the network via the field teams and provision of better support to
Postmasters. MP anticipated that the progress against actions, making a
difference to the Postmaster losses figure, would be seen by the end of the
year and she planned to report back to RCC/ARC in November 2023.
ACTION: AM asked for the report back to RCC/ARC include whether the risk MP
was back in tolerance or on track to moving towards tolerance and by when.
TM discussed the assurance work that was undertaken and which was feeding
into the programme outlined by MP.
AM asked about the benefits to Postmasters of the programme outlined. MP
confirmed it was all about providing better support to Postmasters and
branches and trying to decrease issues at source and provide a better service
where there were issues. TM discussed the refreshing of knowledge and
operational objectives and more resource to investigate/identify and resolve
issues with work around root cause analysis. MP was conscious of engaging
with the NSFP and Postmaster NED’s so their feedback could be incorporated
into the work that was being done.
ACTION: AM requested that the July 2023 ARC paper clearly incorporated MP
what the plans proposed and those already implemented meant or impacts
from a Postmaster lens and not just a POL lens.
Challenges around the use of the discrepancies button was outlined by MJ. MP
discussed understanding why the button was utilised and helping support
branches to resolve issues and providing clarity around best practice and
daily/weekly cash checks. JA noted that there were some compliance
challenges.
MJ discussed funding regarding the MI piece. MJ also offered assistance from
the commercial team where there was a commercial element and they could
assist.
The Chair considered if £30m provisioned on the balance sheet was enough. TM
added there was further provisioning of £1m a month. The Chair noted the
pattern of escalation of losses. The joining up of this piece of work with the RTP
was discussed.
Strictly Confidential Page 3 of 11
POL ARC Meeting-10/07/23 17 of 111
Tab 2.3 Draft Risk and Compliance Committee Minutes (27 June 2023)
UKG100044335
UKG100044335
The RCC APPROVED the Postmaster Losses paper for onward submission to
the ARC.
MP left the meeting.
Self service solutions (Verbal Update)
The Chair advised that he would provide the update on the self service
solutions in the comments section of the ARC action log as this related to an
outstanding action.
Postmaster Policies: Postmaster Contract Performance Policy,
Postmaster Contract Suspension Policy, Postmaster Contract
Termination Policy & Postmaster Decision Review Policy
DS entered the meeting.
DS acknowledged that, subject to the impact of assurance work AM and the
Assurance team were undertaking on these policies, the policies may
potentially return to RCC and ARC in September 2023 for further approval. The
Chair discussed the process that the business went through to sign off on these
policies before they came to RCC and ARC. DS outlined the engagement with
legal services but accepted there maybe room to do further work with
stakeholders going forwards.
The RCC APPROVED the Postmaster Contract Performance, Postmaster
Contract Suspension, Postmaster Contract Termination & Postmaster Decision
Review Policies for onward submission to the ARC, provided the ARC was sign
posted that these would return for approval later in the year, to allow Group
Assurance feedback to be incorporated.
Modern Slavery Statement
DS outlined the 2023/2024 Modern Slavery Statement. AM discussed how this
was risk assessed in the supply chain, especially given the position of the CMF
outlined by LC at item 3, and that the key risks for a retail network like POL lies
within our tiers in supply chain both network facing and beyond. ACTION: TM
was to review due diligence procedures and assess the risk with a logistic and
supply chain lens and incorporate this in the July ARC paper.
ACTION: SG requested DS clarify with the Speak Up Team regarding whether
the term should be investigation of concerns or investigation of report in
relation to suppliers, as it may be the case that a report is made to the Police.
JA asked about the assurance undertaken on the metrics. DS advised that the
statement was published on the website but not the metrics and he took the
point that there would be assurance on the processes/metrics for next year.
TM agreed there needed to be clarity. ACTION The metrics at Appendix 3
‘Modern Slavery Observation Information’ were to be removed prior to
submission to ARC to avoid confusion.
AM asked what Assurance had taken place on material that would be published
on the external website. ACTION: JH agreed to perform a review of material
published on the website before their posting.
™/DS
DS
DS
JH
18 of 111
Strictly Confidential Page 4 of 11
POL ARC Meeting-10/07/23
Tab 2.3 Draft Risk and Compliance Committee Minutes (27 June 2023)
UKG100044335
UKG100044335
The RCC APPROVED the Modern Slavery Statement for onward submission to
the ARC.
DS left the meeting
Branch Data/Unstructured Data plan (Verbal Update)
MT, VT & KD entered the meeting.
MT advised that structured (digital data) and unstructured data (physical data
in the network) had been decoupled. The previous plan that had been proposed
and agreed at ARC had been rejected by IADG.
MT and the team were now looking at utilisation of a cash centre in Hemel
Hempstead as a central hub site to process all new physical documents created
across administration sites. This location had good motorway connections.
Branch data was not included in this project.
TM asked if there was an aspiration regarding the timescale of this hub. KD
advised that subject to funding approval, the aim was for September 2023.
However, the vetting time for staff as it was at a cash centre was also a
consideration. TM asked about the focus and communication to wider teams.
MT confirmed that the primary focus was administration sites. JH was conscious
of DMB’s which had back offices or upstairs areas that may not have been
checked or cleared. TM was cognisant of that risk.
SG ask about linkage of the proposed hub at Hemel Hempstead and the Postal
Museum. MT confirmed that he would be working with the Postal Museum.
JH asked about accountability at this central unit regarding what items would
be kept or not. KD confirmed that accountability would not be taken away from
the teams sending the items regarding what items would be kept.
The RCC discussed the policies/procedures that required to be in place for the
central hub to fulfil its potential and make the correct decisions and that
general principles that had to be adhered to needed to be articulated. ACTION:
MT and KD to work on the decision making policies and processes required by
the central hub.
MT was proposing to update RCC and ARC in November 2023 on the risks that
the actions were addressing, the current position/activities being done and the
path to remediation. There was acknowledged on the impact of funding on
descoping and the impact of this on non-physical data management risks.
The RCC NOTED the Branch Data/Unstructured Data plan verbal update.
MT, VT & KD left the meeting.
MT/KD
Technology Deep Dive
10.
The Chair advised that this would be deferred to September 2023 RCC and ARC
to link in with NED training in September 2023.
POI Deep Dive
IH entered the meeting.
IT highlighted POI’s positive trading performance. IH highlighted cyber risk as
the most prominent and whilst there has been strengthening within the POI
estate around the firewall and credential checking, POI has a dependency on
Strictly Confidential Page 5 of 11
POL ARC Meeting-10/07/23
19 of 111
Tab 2.3 Draft Risk and Compliance Committee Minutes (27 June 2023)
UKG100044335
UKGI00044335
POL for a number of important services and POL currently regards cyber risk as
out of appetite.
The risk of inflation/recession was outlined by IH as the travel and protection
businesses rely on discretionary spend. Work on consumer duty and appointed
representative was due for completion July 2023. IH noted that undertaking
personal due diligence on Senior Management within POL has been challenging
but he was working with POL Management to ensure that the process for
gathering the data to support these checks is optimised.
JA observed that there were risks called out in IH’s paper that he did not
recognise and RB noted there were gaps and this should be aligned. ACTION:
exercise to be undertaken to ensure alignment of POI and POL risks.
The RCC discussed information required by POI ARC from POL as the approach
had not yet been agreed. POI’s regulated status acknowledged. SG confirmed
that the legal and data protection teams were still working through how this
would operate in practice. ACTION: A clear approach was required regarding
the POL ARC information that POI has sight of.
AM raised whether the POI paper was satisfying POL requirements and duty of
care as a Holding Company of POI, as it was currently only written with a POI
lens. ACTION: IH to revisit his paper prior to submitting to POL ARC in July.
The RCC APPROVED the POI Deep Dive for onward submission to the ARC.
IH left the meeting.
IH/RB
SG
IH
11.
Cyber Security (Verbal Update)
DB entered the meeting.
DB confirmed that he had provided an interim update on the ARC action log
and to the ARC Chair. AM discussed cyber risk at group level being outside
tolerance and DB affirmed that this was the case due to the external
environment moving quicker than actions can be taken to prevent risks. AM
mentioned that this was standard across many organisations and the right way
to assess this risk.
The Chair would incorporate Cyber Security risks in the Technology Deep Dive
going to RCC and ARC in September 2023.
The RCC NOTED the Cyber Security (Verbal Update).
DB left the meeting.
12.
Plan for HIJ
SO entered the meeting.
SO confirmed that HIJ Phase 3 was 75-80% complete. SO would be providing
an update to the group at the Town Hall the following day. The content of the
update was broadly in line with the path set out to the POL Board in January.
Phase 4 discussions on the proposed approach had commenced with the
Steerco. SO confirmed there was regular engagement with JA and the team.
The Chair referenced the risk score of 16 and what would happen to this score
and when. SO confirmed there would be a revised risk score at the end of
phase 3, which SO anticipated would bring this score down.
20 of 114
Strictly Confidential Page 6 of 11
POL ARC Meeting-10/07/23
Tab 2.3 Draft Risk and Compliance Committee Minutes (27 June 2023)
UKG100044335
UKG100044335
The Chair asked if the funding was received for the scope of Phase 4, whether
the risk level would be brought down to zero or if it would still be significant.
SO advised it would not be zero but there would be reduced risk exposure. KS
considered prioritisation and drawing comparisons between activities if not
everything could be funded. ACTION: The Chair requested SO consider clear
metrics that show the progress being made and the impact the changes have
brought in relation to HIJ.
The plan for HI) was being taken to the POL Board at the conclusion of phase
3, SO confirmed.
The RCC NOTED the plan for HIJ.
SO & DB left the meeting.
so
13.
Group Insurance Renewal Options
PM and AB entered the meeting.
PM confirmed that the group insurance renewal was at the end of October and
this paper outlined re options. PM confirmed that POL must hold cover for
the Bank of England ‘ash position. PM confirmed that ARC had approval
of the overall levels of insurance for the Group, under the ARC terms of
reference, and the approval paper would be presented to ARC in September.
SG asked to what extent the team had reached out to the business units
impacted by the policies. PM had spoken on a regular basis to many but
acknowledged that he had not reached out to CoSec in relation to D&O cover
and would do so. ACTION: PM to speak to CoSec regarding the insurance
renewal options relating to D&O Cover.
RB was concerned about the proposal in relation to cyber cover and the
increase in retained risk for a relatively small premium decrease, as there was
concern around cyber activity.
KS considered if the management team had considered the options. ACTION:
Paper to GE prior to September ARC so that a management recommendation
can be made to ARC.
The RCC NOTED the Group Insurance Renewal Options paper.
PM and AB left the meeting.
PM
PM
14.
Risk, Compliance and Audit Update
14.1
Risk Report & Dashboard.
RB advised that during the current reporting cycle, risk deep-dives were
performed into Group Finance & Group Technology. Improvements had been
made to the existing Risk Exception process, which is now called the Policy
Exception process, removing the element of subjectivity. In addition to the
deep dives, RB referenced appendix 1 which reported on key intermediate risks
and progress with risk responses.
RB highlighted that the suite of intermediate risks showed the trends going up
or down. In relation to Breach of Facility Headroom risk, the RCC determined
this should be for noting at ARC with escalation at the quarterly shareholder
meeting.
Strictly Confidential Page 7 of 11
POL ARC Meeting-10/07/23
21 of 111
Tab 2.3 Draft Risk and Compliance Committee Minutes (27 June 2023)
UKG100044335
UKGI00044335
AM raised that the paper still did not incorporate the feedback from the May
ARC. AM recognised that the risk team probably could not change this prior to
the July ARC, but consideration should be made to provide a holistic summary
of the overall POL risk position with a summary of key movements from the
prior reporting periods.
The RCC:
« NOTED the status of key intermediate risks;
« DISCUSSED if any risks should be highlighted to the ARC for onward
visibility/escalation to DBT and
« APPROVED the Risk Report & Dashboard for onward submission to the
ARC.
14.2
Compliance Report
JH highlighted the Data Protection Breach in Response to a Rule 9 Request. The
ICO had confirmed that no further action is necessary on this occasion.
In relation to the GLO scheme, JH updated the DSAR’s figure from 328 to its
current figure of 358. The team were working through the process of how to
prioritise these and on recruiting 10 contractors to help support processing the
DSARs. However, even with these roles in place, JH advised that POL will not
meet its statutory timescale obligations for processing DSARs. JH outlined the
plan to submit a notice to the ICO early next week, requesting a meeting.
Although POL were not currently in breach this would shortly be the case.
AM asked if it could be said that POL could have been prepared for the DSAR’s.
KS observed that there were few organisations that would be able to manage
the volume POL had received and JH agreed.
The RCC discussed the Mandatory Compliance Completion Rates, with
several business functions currently below target for completion of mandatory
compliance modules against the agreed KPI of 95%. ACTION: the Chair to
raise the completion rate at GE meeting the following day.
The RCC APPROVED the Compliance Report for onward submission to the
ARC.
ZM
14.3
Assurance Update & Integrated Assurance Plan for SPM
AM outlined that in the period since the last RCC in May 2023, considerable
progress had been made in moving the Historical Assurance Plan forward and
many elements of the plan are now in draft reporting stage and completed.
AM reported that fieldwork for all CIJ areas (1 to 9) is now complete and several
factual validation sessions have taken place with the Retail team. For all 9 CIJ
areas final draft reports have been issued and the team are in the process of
collating and assessing final feedback and comments.
AM confirmed that in the majority of cases (c 97%) the Retail team have
completed the actions outlined to remediate the CIJ’s and they have clear
evidence to demonstrate this. However, some original actions have not been
completed or have been partially completed and were highlighted in the paper.
AM acknowledged that the review undertaken had gone beyond the evidence, to
review with a critical lens whether the actions are sustainable, can demonstrate
or track the impacts on PM journeys, and, where applicable, there is appropriate
22 of 114
Strictly Confidential Page 8 of 11
POL ARC Meeting-10/07/23
Tab 2.3 Draft Risk and Compliance Committee Minutes (27 June 2023)
UKG100044335
UKGI00044335
oversight and governance. A number of significant improvement opportunities
for the Retail team to consider, which would further strengthen their CIJ
response, have been provided.
AM confirmed that the assurance Submission to ARC in July will not include a
detailed plan on ‘integrated assurance’ just the proposed approach and the scope
elements, which if approved by GE, will then lead the creation of an integrated
assurance plan. Also, work with NBIT was already underway. JA confirmed he
had provided feedback to AM on the proposed approach.
KS asked if AM had spoken to Katie Secretan regarding the RTP. AM confirmed
that he had and he had also engaged with Tim McInnes regarding CIJ, JL
regarding culture and Tom Lee regarding finance.
JL was conscious of potential duplication and JA discussed that, in principle,
integrated assurance should not duplicate. AM agreed that the intention of
integrated assurance was to perform assurance once and make sure it was
appropriate, transparent and timely. AM agreed to make this clearer in his paper.
THE RCC:
e NOTED the Group Assurance update;
« DISCUSSED Integrated Assurance and next steps and
« APPROVED the Assurance report for onward submission to the ARC and
Integrated Assurance Approach for onward submission to GE.
14.4
Internal Audit Report
JA reported that the overall control environment was stable from a BAU
perspective but that controls over change delivery control issues have
deteriorated.
JA confirmed that the audit report turnaround times had deteriorated. The SLA
was 20 days and the average was now 31, an increase of 11 days from the
previous year. Performance in BAU audits remained strong at 21 days, which
was just outside the SLA. However, change audits were taking 56 days to clear,
and this clearly indicated some challenges in this area. AM commented
positively on the analysis within the paper.
JA highlighted that there were currently 27 actions overdue, 10 of which are
older than 60 days. JA worked with the action owners and extensions are
granted where there are justifiable reasons. JA considered colleague bandwidth
as the reason behind the performance deterioration. KS noted the concerning
trends from the report.
The Chair summarised there was a large escalation in findings and an
escalating number of actions unaddressed. ACTION: The Chair to raise the
deteriorating performance with GE colleagues at the GE meeting the following zM
day.
THE RCC:
« NOTED the audit results for 2022/23 and internal control themes
identified;
« NOTED the turnaround time for internal audit reports;_
« NOTED the progress being made with delivery of the internal audit
programme and completion of audit actions and
« APPROVED the report for onward submission to the ARC.
Strictly Confidential Page 9 of 11
POL ARC Meeting-10/07/23
23 of 111
Tab 2.3 Draft Risk and Compliance Committee Minutes (27 June 2023)
UKG100044335
UKG100044335
15.
Fraud Risk
16.
JA explained that fraud risk management is fragmented across POL and
ownership of activities falls to several teams. From the high level assessment
undertaken, the team have not identified any material gaps which could cause
concern of not being able to comply with proposed new regulations of ‘failure to
prevent’.
TM asked if there had been consideration regarding risk from fraudulent notes
in the network. RB advised there had not been. TM accepted this was outside
the scope of this report.
AM observed that the report was ‘top down’ and that a ‘bottom up’ view had to
be incorporated for this to reflect the true POL environment. RB took the point,
which was due to the fragmented nature of fraud risk management at POL.
In terms of next steps, JA advised that going forward any risk relating to fraud
in SNOW GRC is tagged to highlight they are a fraud risk. This will enable the
Central Risk team to provide assurance over fraud risks across the
business. JA also recommended that a deep dive of fraud risks should be
presented to the RCC in July 2024.
ACTION: KS and JA to have an offline conversation regarding the 117 non-
compliant controls in relation to impact on the ARA.
THE RCC APPROVED the Fraud Risk Report for onward submission to the ARC.
Policies for Approval
JA/KS
16.1
Financial Crime Policy
16.2
The Financial Crime Policy was APPROVED for onward submission to the ARC.
Anti-Bribery and Corruption Policy
The Anti-Bribery and Corruption Policy was APPROVED for onward submission
to the ARC.
16.3
Anti-Money Laundering & Counter Terrorism Funding Policy
The Anti-Money Laundering & Counter Terrorism Funding Policy was
APPROVED for onward submission to the ARC.
16.4
Treasury Policy
SG had a number of areas of concern and requested that the policy owner
discuss these with Legal and CoSec. ACTION: PM to address outstanding areas
with SG and CoSec.
The Treasury Policy was therefore deferred to September ARC to enable further
work to be undertaken.
PM/SG/CoSec
17.
Previous Meetings
17.1
Minutes (9 May 2023)
24 of 114
Strictly Confidential Page 10 of 11
POL ARC Meeting-10/07/23
Tab 2.3 Draft Risk and Compliance Committee Minutes (27 June 2023)
UKG100044335
UKG100044335
The minutes of the Committee meeting held on 9 May 2023 were APPROVED.
17.2 I Action List
Progress on completion of actions as shown on the action log was NOTED.
18 Audit, Risk and Compliance Committee pre-meeting review
18.1 I ARC Agenda - 10 July 2023
The draft ARC agenda for 10 July 2023 was NOTED by the RCC.
18.2 I Forward Plan (including RCC only items)
« The Contract Management Framework item was to come back to
RCC/ARC in September 2023 having been to GE in the intervening
period.
«The Self service solutions item was being addressed by the Chair
providing an update in the ARC action log.
e The branch data/unstructured data plan was to return with an update to
RCC/ARC in November 2023
«The plan for HIJ would be reported to POL Board on the conclusion of.
Phase three, which was imminent.
« The Technology deep dive was to be deferred to September 2023 to link
with NED training.
« The Treasury Policy required additional work and was deferred to
September 2023.
The Committee & ARC forward plan was NOTED by the RCC,
19. Any other Business
There being no other business the Chair declared the meeting closed at 14.01.
20. Items for Noting
20.1 I Procurement Governance & Compliance
The Procurement Governance & Compliance Paper was NOTED by the RCC and
APPROVED for onward submission to the ARC.
Strictly Confidential Page 11 of 11
POL ARC Meeting-10/07/23
25 of 111
UKGI00044335
UKG100044335
Tab 3 HMU Risks.
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
26 of 114
oe Historical Matters Risk & Meeting
Title: Assurance Update Date: 10 July 2023
Workstream: I PMO, Governance and Risk Version: 3.00
Simon Recaldin,
Author: Evelyn Hocking, Programme Lead I Sponsor: Historical Matters
Director
Input Sought: Noting
ARC is asked to note:
i. the work being undertaken, and continued progress made against the Historical
Matters (HM) Risk and Assurance Plan, as summarised in this paper; and
ii. the HMU Intermediate Risks as set out in Appendix 1
Previous Governance Oversight
An Historical Matters (HM) Risk and Assurance Update was provided to the Risk and Compliance
Committee (RCC) on 27 June 2022 and to ARC on 12 July 2022, where it was agreed that
further progress reports would be provided on a biannual basis.
A further HM Risk and Assurance Update was provided to RCC on 10 January 2023, the
Historical Remediation Committee (HRC) on 19 January 2023, and ARC on 23 January 2023.
This paper was presented to RCC on 27 June 2023, and to HRC on 5 July 2023.
Executive Summary
Since last reporting progress to ARC on 23 January 2023, work has continued to build additional
controls around Risk and Assurance within HMU.
Working in collaboration with colleagues in POL Compliance, work on providing assurance on
the processes and controls across the Stamp Scheme has now been completed (the final report
can be found within Appendix 2).
Assurance work is currently being undertaken by both HMU and POL Compliance on processes
and controls within the Historical Shortfall Scheme (HSS). Internal Audit have also commenced
work reviewing the HSS, with the objective of evaluating the design effectiveness and operating
efficiency of the HSS controls in place, to ensure that the progress and status of claims are
accurately and consistently managed, monitored, and reported, It should be noted that an issue
has recently been highlighted in respect of the non-payment of tax and NI contributions to
1
Strictly Confidential
POL ARC Meeting-10/07/23
UKG100044335
UKG100044335
Tab 3 HMU Risks.
HMRC in relation to c.100 Interim Payments made in the HSS. The POL Tax Team are currently
in discussions with HMRC as to the potential consequences relating to this oversight.
Following concerns raised by HM Governance, the HM Director asked POL Compliance to
undertake an assurance audit of the Postmaster Suspension Remuneration Review (SRR)
workstream, with a particular emphasis on the remuneration data used to calculate Suspension
Remuneration. The Assurance Team performed a desk top review of the SRR process to identify
key inherent risks and expected controls. The review has now been completed and has
identified that there is insufficient evidence to demonstrate that key controls within the SRR.
team are being complied with. This review has also confirmed the HM Directors concerns in
terms of the remuneration data. A separate paper on these two risks is separately included in
this ARC Agenda.
Further assurance work is also planned later in the year in respect of the work being undertaken
within the Overturned Convictions (OC) workstream.
Working with POL Central Risk, HMU have undertaken a further review of all Intermediate and
Local risks. The reviewed and updated Intermediate risks can be found in Appendix 1.
Report
1. Detailed below is the progress made to date against the HM Risk and Assurance Plan
Key
Complete
On track
©) I Not started
Target Date RAG
Risk & Quality Assurance Governance
Develop Assurance Plan Complete 31 Aug 22 (2)
Enhance existing Risk and Control Framework,
Principles and Governance Structure Complete I 30 Nov 22 oO
Review the reporting lines of Risks & Assurance —
findings to Governance Forums and Stakeholders Complete 30 Nov 22 ®
Implement a Risk cadence to present Risk and
Assurance updates to the HM Risk Forum, HRC, Complete 30 Nov 22 ®
RCC, ARC and other stakeholders as required
HM Risk Forum
Hold inaugural Risk Forum Complete 15 Nov 22 @
Strictly Confidential
POL ARC Meeting-10/07/23 27 of 111
Tab 3 HMU Risks.
UKG100044335
UKG100044335
28 of 114
HM Risk Forum Terms of Reference drafted and
approved by HMC and Noted by HRC
Complete
15 Dec 22
i)
HM Risk Forum Terms of Reference reviewed and
updated ahead of approval by HMRF, HMC and
noting by HRC
Complete
31 May 23
@
Review of HM
Risks
Undertake full review of Intermediate Risks and
share with HM Risk Partner
Complete
30 Nov 22
Review Local Risk Register - ensure that the risk
register is always maintained in good order, and
that the process for identifying and reporting
existing risks, emerging risks, and changing risk
scenarios is robust
Complete
30 Nov 22
Review workstream RAIDS
Complete
30 Nov 22
Share review of Intermediate Risks with Group
General Counsel, HRC, RCC and ARC
Complete
31 Jan 23
Develop a stronger relationship with HMU POL
Risk Partner, develop understanding of SNOW
and define a process for HMU undertaking
updates in SNOW
Complete
31 May 23
Undertake reviews of existing and new/emerging
Intermediate Risks ahead of bi-annual reporting
to Group General Counsel, HRC, RCC and ARC
Ongoing
Ongoing
Stamps Scheme Assurance
POL Compliance undertake assurance review of
Stamp Scheme processes and controls and share
initial findings with HMU
Complete
30 Oct 22
HMU review POL Compliance assurance findings
and carry out own testing (1*t Line) in readiness
for further testing of processes and controls by
Group Compliance Team (2"¢ Line). Consider
enhancing controls where appropriate
Complete
15 Dec 22
POL Compliance complete testing of Stamp
Scheme processes and controls and present
findings to HMU for review.
Complete
31 Jan 23
Strictly Confidential
POL ARC Meeting-10/07/23
UKG100044335
UKG100044335
Tab 3 HMU Risks.
HMU review final Stamp Scheme report and deal _
with any outstanding matters. Complete 31 May 23 @
Final report presented to HMC, HRC, RCC and
ARC In course 31 July 23 C)
Historical Shortfall Scheme (HSS) Assurance
HMU undertake own testing In course 31 July 23
POL Compliance undertake assurance review of
Historical Shortfall Scheme (HSS) processes and In course 31 July 23 oO
controls and share findings with HMU ~
HMU review POL Compliance assurance findings
and carry out any remedial work and further
testing as deemed necessary, consider enhancing I Not started I 31 Aug 23 @
controls as required, and reporting back to ~
Compliance
Internal Audit complete initial review of HSS In course 31 July 23 @
Suspension Remuneration Review (SRR) Assurance
HMU undertake own testing In course 15 July 23 Q
POL Compliance undertake assurance review of
the Postmaster Suspension Remuneration Review Complete 15 June 23 _
(SRR) processes and controls and share findings Pr ©
with HMU
HMU review POL Compliance assurance findings
and carry out any remedial work and further
testing as deemed necessary, consider enhancing In course 15 July 23 @
controls as required, and report back to ‘
Compliance
Overturned Convictions Assurance
HMU undertake own assurance testing Not started I 31 Aug 23 @
POL Compliance undertake assurance review of
the Postmaster Suspension Remuneration Review
(SRR) processes and controls and share findings Not started 30 Sept 23 oO
with HMU
Strictly Confidential
POL ARC Meeting-10/07/23 29 of 111
Tab 3 HMU Risks.
UKG100044335
UKG100044335
30 of 114
HMU review POL Compliance assurance findings
and carry out own testing and remedial work as
consider enhancing controls as required and
report back to Compliance.
deemed necessary, considering enhancing Not started 31 Oct 23 ©
controls as required and report back to
Compliance
Governance Assurance
Respond to Governance Questions posed by the
Inquiry Team ahead of Independent Governance Complete 31 May 23 e)
Audit
HMU undertake own assurance testing In course 31 July 23 @
Draft HMU Governance Handbook ahead of In course 31 July 23
Independent Governance Audit id @
POL Compliance and or Inquiry Governance
Expert undertake assurance review of HM Not started TBC
Governance processes and controls and share oO
findings with HMU
HMU review feedback, carry out own further
testing and remedial work as deemed necessary, I jot started TBC
Risk Assessment, Mitigations & Legal Implications
2. It is vital that HMU has a clearly articulated, managed, and monitored Risk Strategy to
ensure HMU is operating within the Risk tolerances set by Post Office, but that also reflect
the particularly challenging nature of the role of HMU. HMU must not only satisfy PO that it
is operating within a robust Risk Framework, it must also satisfy its external shareholders
that the outcomes and processes undertaken demonstrate Value for Money, stand up to
scrutiny by the National Audit Office, and deliver fair outcomes to Post Masters. The Risk
Framework being implemented in HMU is designed to meet all these requirements and will
be subject to ongoing and regular review.
Next Steps & Timelines
3. Further updates will be provided to HRC, RCC and ARC on a biannual basis.
Strictly Confidential
POL ARC Meeting-10/07/23
Tab 3 HMU Risks
UKG100044335
UKG100044335
Input / Reviewed By:
Name Role Comments Version Date
Andrew Mortimer I HM Programme Manager I Initial version drafted 0.01 24/05/2023
Evelyn Hocking HM Programme Lead Initial version reviewed, 0.02 28/05/2023
and changes made
Andrew Mortimer I HM Programme Manager I Updates made for RCC 1.01 18/06/2023
Simon Recaldin HM Director No changes made 2.00 19/06/2023
Andrew Mortimer I HM Programme Manager I Updates made for ARC, 3.00 29/06/2023
HRC
Additional Comments:
Governance:
€ommittee Vers Dec td Date
Historical Matters Risk Forum 01.00 Approved 1 June 2023
Risk and Compliance Committee 02.00 Noted 27 June 2023
Historical Remediation Committee 03.00 5 July 2023
Audit, Risk and Compliance Committee 03.00 10 July 2023
Add
nal Comments:
Strictly Confidential
POL ARC Meeting-10/07/23
31 of 111
UKGI00044335
UKG100044335
Tab 3 HMU Risks.
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
32 of 114
Title: HMU Risk Update Meeting Date: I 10‘ July 2023
Workstream: I PMO, Governance and Risk Version: 1.0
Evelyn Hocking, HM
Author: Sponsor: Nick Read, Group CEO
Programme Lead
Input Sought: Noting
ARC is asked to note:
i, the work being undertaken to improve controls and deal with an issue recently
highlighted in respect of the non-payment of tax and NI contributions to HMRC in relation
to C.100 Interim Payments made in the HSS; and
ii, the work being undertaken to assess and understand concerns recently raised by HM
Governance relating to the remuneration data being used in the Postmaster Suspension
Review (SRR); and
iii, that at the current time, the HMU control environment may not be fully robust and or
satisfactory to manage key inherent risks.
Previous Governance Oversight
HMU reports every 6 months to RCC and ARC, with the last RCC update on 27* June 2023
where the above issues were noted.
Executive Summary
Work continues across HMU to ensure the design of controls and their execution are appropriate
to manage the key inherent risks within HMU. This involves working closely with Group
Assurance, to strengthen and build additional controls.
Assurance work is currently being undertaken by both HMU and POL Assurance on processes
and controls within the Historical Shortfall Scheme (HSS). Group Assurance have also, at our
request, concluded an assurance review on Postmaster Suspension Review (SRR), which
affirmed our significant risk concerns in this area. Immediately this issue came to light, all
payments and issuance of new offers was ceased and will only recommence once the issues
have been resolved and the processes reassured. Some organisational and personnel changes
have also been implemented.
Internal Audit have also commenced work reviewing the HSS, with the objective of evaluating
the design effectiveness and operating efficiency of the HSS controls in place, to ensure that
the progress and status of claims are accurately and consistently managed, monitored, and
reported. Further assurance work is also planned later in the year in respect of the work being
undertaken within the Overturned Convictions (OC) workstream by Group Assurance.
Strictly Confidential
POL ARC Meeting-10/07/23
UKG100044335
UKG100044335
Tab 3 HMU Risks.
The issues that have emerged on Tax payments to HMRC and the inconsistencies in the
Remuneration data used within SRR alongside the process failures, have led to increased
Assurance reviews in the Detriment and Operations workstreams within HMU.
Report
1. Following the emergence of an issue in respect of the non-payment of tax and NI
contributions to HMRC, in relation to c.100 Interim Payments (IPs) made in the HSS,
several additional controls have been implemented to ensure the issue does not escalate
any further. To be clear here is no impact on payments made to Postmasters, rather the
process to subsequently pay HMRC was not followed. Additional actions undertaken
include:
a. the creation of a Process Map which on an E2E basis clearly outlined the key risks
and associated controls for the teams involved.
b. the HM Ops and Remuneration teams agreeing the process and then successfully
testing the process, of paying tax and NI in relation to offers for processing IP’s,
c. creating a new folder and report on Relativity to allow the Remuneration team to
easily distinguish between the Offer and IP being processed. This is an additional
measure to ensure remuneration team had visibility of payments;
d. developing a new Relativity report to enable the reconciliation of IPs on a
weekly/monthly basis. This will be a weekly reconciliation to QA all areas that
touch a payment.
2. Following concerns raised by HM Governance, the HM Director requested POL Group
Assurance to undertake a review of the Postmaster Suspension Remuneration Review
(SRR) workstream, with a particular emphasis on the remuneration data used to calculate
Suspension Remuneration.
3. Group Assurance have performed a desk top review of the SRR process to identify key
inherent risks and expected controls and selected a sample of three Suspension Payments
to perform a walkthrough to assess the effectiveness of controls. Their review has
affirmed the concerns raised by the HM Director in terms of remuneration data, and their
conclusion is:
‘sufficient evidence does not exist to demonstrate whether key controls operating
within the Historical Matters Suspension Payment team are being complied with. In
addition, there are significant gaps and weaknesses in the design of the Historical
Matters Suspension Payment Processes whereby completeness, accuracy and or
reasonableness of Suspension Payments cannot be assured.
Consequently the ‘Historical Matters Suspension Process' has been rated
Unsatisfactory.’
4, The issues highlighted have prompted the Group Assurance Director to ask the question
as to whether HMU are confident that their control environment is sufficiently robust. The
short answer to that is that currently HMU cannot be 100% confident, and therefore
additional work will be undertaken to understand the assurance reviews and details of the
Strictly Confidential
POL ARC Meeting-10/07/23 33 of 111
UKG100044335
UKG100044335
Tab 3 HMU Risks.
34 of 114
remediations steps will be submitted to HMC, HRC and an update will be provided to the
next RCC on 12'* September 2023.
Financial Impact
5. The POL Tax Team are currently in discussions with HMRC as to the potential
consequences relating to the non-payment of tax as outlined above. Ordinarily HMRC will
charge interest on overdue tax, which should not be substantial as the tax has only started
to accumulate since 1 Jan 2023. However, HMRC is bound, by statute, to consider whether
a penalty should apply. Given we will disclose the sums owing (rather than an HMRC
“‘discovery’) it should be considered to be a ‘careless’ mistake for which the maximum
penalty would be 30% of the tax owing. If 30% were applied to £1.399m this is ~£420k
penalty.
6. In relation to SRR, the financial impact of SRR payments made to date is still being
calculated, however the problem was discovered when c100 offers out of a potential
¢3,000 offers have been made. The SRR offer that was picked up was for a final payment
of £257,286.75 for a 388-day suspension. The base remuneration and the number of
days suspension have been challenged along with the process that allowed the letter to
be sent to the Postmaster before going through the proper Governance channels.
Risk Assessment, Mitigations & Legal Implications
7. While the issues highlighted are disappointing, it should be noted that the HMU first line
monitoring controls detected these errors. Whilst this is assuring to some degree, we
recognise that our E2E processes have to be further strengthened especially in HMU
Operations.
8. It is vital that HMU has a clearly articulated, managed, and monitored Risk Strategy to
ensure HMU is operating within the Risk tolerances set by Post Office, but that also reflect
the particularly challenging nature of the role of HMU. HMU must not only satisfy POL that
it is operating within a robust Risk Framework, it must also satisfy its external
shareholders that the outcomes and processes undertaken demonstrate Value for Money,
stand up to scrutiny by the National Audit Office, and deliver fair outcomes to Post Masters.
Next Steps & Timelines
9. A full remediation plan for each of these issues will be presented to HMC on Tuesday 11"
July 2023, and ARC will also be updated.
10. Once the full remediation plans have been implemented, the Group Assurance Director
will be invited to review the revised processes.
Strictly Confidential
POL ARC Meeting-10/07/23
Tab 3 HMU Risks
UKG100044335
UKG100044335
Input / Reviewed By:
Name Role €om Date
Evelyn Hocking Author Drafting 0.01 29/06/23
Andrew Mortimer HM Programme Review 0.02 29/06/23
Manager
*Mandatory Review Required ** If Applicable
Governance:
Committee
Version Decision:
Historical Remediation Committee
Vv01.00
Strictly Confidential
POL ARC Meeting-10/07/23
35 of 111
UKG100044335
UKG100044335
Tab 4.1 Risk Report & Dashboard
Post Office Limited - Document Classification: INTERNAL
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPOR
Title: Risk Update Meeting Date: I 10' July 2023
Rebecca Barker (Head of Risk),
Author: Johann Appel (Director of Internal Sponsor: Alisdair Cameron
Audit & Risk)
Input Sought: Noting/Discussion
The committee is requested to:
i. Note the status of key intermediate risks.
ii. Discuss if the committee require a detailed update on any risks mentioned within this
report.
Executive Summary
During this reporting cycle, we have performed risk deep-dives into Group Finance & Group
Technology. Intermediate risks which are currently outside of our extended appetite and may
impact our strategic objectives of Improving Branch Profitability, Transforming Technology and
Rebuilding Trust, are illustrated in appendix 1.
During our discussions with the business we have identified themes emerging with regards to
colleagues’ health and well-being, as well as insufficient resource to manage day to day
activities. The Central Risk team will continue to work with risk owners to ensure risks are
raised and managed via the Governance Risk & Compliance (GRC) tool and correctly aligned to
our recently approved people risk appetite statements.
We conclude that, with the exception of the emerging people risk, the risk profile remain
stable. However, there is a possibility of risks materialising over the next couple of months,
where remediations are reliant on key decisions at Board, funding allocation and programme
delivery.
Report
1. Changes to risk exception process: We have recently made improvements to the existing
Risk Exception process, which is now called the Policy Exception process. The improved
process removes the element of subjectivity, ensures we have identified correct approvals
from the risk and policy owner, which in turn will improve the ability to track any overdue
actions by managing exceptions on our GRC tool. Appendix 2 provides an overview of active
policy exceptions. An exception will only be required if the risk being raised is outside of our
approved policies. If within policy then the standard risk management process will be
followed.
2. Deep Dives: During this reporting period we completed the risk deep-dives for Group
Finance and Group Technology. Group Strategy & Transformation has been delayed to
September. In addition to the deep-dives we will continue to report on key intermediate
risks and progress with risk responses (see appendix 1). For transparency, all intermediate
risks have been included within the reading room.
Confidential
36 of 114 POL ARC Meeting-10/07/23
UKG100044335
UKG100044335
Tab 4.1 Risk Report & Dashboard
Post Office Limited - Document Classification: INTERNAL
Risk Deep Dives
3. Group Finance: Intermediate risks have been reviewed with the senior leadership team.
Key Intermediate risks which are being managed and remain stable are:
e Inability to prevent Health & Safety breaches.
e Potential failures of procurement process.
« Material misstatement in financial reporting and Financial Statements.
There are currently four risks, which to remediate will require funding to be agreed with
DBT. The risks have been shared with DBT. These risks are:
e Investment from shareholder is withdrawn/reduced (going concern risk)
e Breach of Security Headroom (facility covenant)
e Breach of Facility Headroom
« HMU funding and expenditure corporation tax treatment
If funding is not agreed the risk of breaching Security Headroom could materialise as early
as September 2023. If Security Headroom is.
Office would be in default.;
-nrovided..by DBT and cause default.on.
JIRRELEVANT!). If this were to occur ¥
The risk
levels, with requirements from HMU, SPM and Inquiry being significant and ever increasing.
ther... facilities../_aAareaments...(NatiNlast.
IRRELEVANT
Rod
Recommendations: Concerns were raised around the wellbeing of staff and the capacity
to manage day to day activities - this will be fed back to the People team. A full review
and assessment of the Finance local risks will be carried out and completed by September.
4. Group Technology: Intermediate risks have been reviewed with the senior leadership
team. Key Intermediate risks which are being managed and remain stable are:
e Inability to have NBIT technology ready for deployment by March 2025.
e Inability to adequately implement Historical Matters remediations and deliver
improvements to Horizon issues.
Inability to migrate branches to a fibre-compatible solution by December 2025.
Inability to support Horizon after the current Fujitsu contract ends.
Inability to support & maintain elements of Horizon legacy platform
Inability to prevent Cyber-attacks.
Inability to recover from a Cyber-attacks (previously known as data loss).
Ineffective management of unstructured data.
During the deep dive several risks were highlighted which have not previously been tracked
via GRC. Risks relating to End User Computing, Branch devices, SSKs, payment devices
(PEDs), increase in staff costs, recruitment of senior leadership roles and the ongoing
impact of the Inquiry on staff, will all be reviewed, assessed and reported going forward.
Cyber Security risks remain stable due to our current cyber defences currently being
assessed as effective, but require a step change in maturity to mitigate the increasing but
also evolving cyber threat landscape, particularly in relation to ransomware. Whilst
additional funding is required to improve our cyber posture, initiatives are already in flight
- these must now be delivered as planned by October 2023. A prove phase plan is in flight
that will deliver 8 initiatives. A business case will be produced in parallel that will detail a
further larger funding request as part of our planned multi-year cyber programme. This
will be presented to the Board in September 2023.
Confidential
POL ARC Meeting-10/07/23 37 of 111
UKG100044335
UKG100044335
Tab 4.1 Risk Report & Dashboard
Recommendation: It is not clear which risks could be further impacted by delays within
the NBIT SPM delivery - this should be reviewed and articulated within the risk as it may
result in a risk materialising that could impact the business operationally. Mitigations for
supporting Horizon beyond the contract end-date and maintaining the legacy platform are
dependent on decisions from the Board which was originally scheduled to be presented to
Board in June, this has been delayed to July. As a result of the delays the likelihood could
increase, and therefore these risks should be re-assessed following the outcome of the July
Board.
Update on other areas
5. Group Retail: The remediation plan for risk “RKQ021792 - Inability to identify, investigate
and resolve discrepancies in the network”, has been reviewed. The risk remains stable and
a separate paper will be presented to the ARC.
6. Group General Counsel: Likelihood has increased from 5 to 4 on risk “RKOO21771 -
IFID
The reason for the increase follows a request from an external legal firm
representing Postmasters for c.328 DSARS. The legal firm have declined to work within the
government disclosure scheme on such requests. The obligation on Post Office is that we
must respond in 30 days, which can be extended to 90 days for complex cases. Given the
volume and complexity, POL are unable to meet these deadlines due to system restrictions
that no amount of resource can fix. As an example, inherently it took POL 3 months to
complete 44 (partial) DSAR requests. Mitigation actions have commenced, which include:
e External legal advice has been taken
* Consideration for additional resource c.10 colleagues
e Work with DBT to provide a response and agree action to minimise the impact on GLO
complainants
« ICO engagement
« 2-weekly review of mitigation plan between Central Risk and Compliance team
7. Historical matters: Two risks have reduced this period;
« RK0021780 - Breach of the Common Issues Judgement (CIJ) - Outstanding Balances
(15:L4 - risk remains outside of appetite and tolerance). Risk reduced due to agreement
that the impact should be reduced following discussion at the Historical Matters risk
forum on 1% June as matters have moved on - Board has approved pausing payments
and Legal advice has now been taken.
« RKO021807 - Insufficient Budget and Increasing Costs to deliver HM Compensation
Schemes. (14:L2 - currently no agreed appetite) Risk reduced due to Budgets being
sufficiently controlled and monitored to enable adequate forecasting to ensure no
budget breaches. Budget has been agreed until 2025,
8. Governance: There is a concern around the lack of clarity over GE accountabilities, decision
making forums, documenting of decisions, the escalation and appropriate reporting of
material issues and decisions to GE and Board to ensure adequate oversight. As a result of
these concerns a Governance review is being conducted which includes the risk assessment
with the risk owner for the current risk “RKOO20051 - UK corporate governance code -
unable to demonstrate compliance”. The Central Risk team will be reviewing all risks in
3
Confidential
38 of 114 POL ARC Meeting-10/07/23
UKG100044335
UKG100044335
Tab 4.1 Risk Report & Dashboard
Post Office Limited - Document Classification: INTERNAL
respect of failure of governance and to understand what the risk posture is across the
business; the outcomes of this review will be included within the September Risk paper.
9. Group People: Risks are currently under review - all assessments are due to complete by
the end of July and reported in the September ARC paper. Following discussions with
colleagues across the business we will focus on the following themes:
¢ Culture/Ways of working misalignment - existing risk to be assessed;
e Increased workload, pressure and stress (caused by the Inquiry, SPM, HMU, etc) as
well as negative media coverage of Post Office - emerging risk to be agreed and
assessed.
10. Group Commercial: No change to the Intermediate risks. POI management remains
concerned over our exposure to cyber risk. For all businesses, notably those with a UK
Government connection, cyber risk is currently heightened. POI have raised the lack of
‘playbooks’ if POL was faced with a ransomware attack. This is being reviewed as part of
the remediation activity that the CISO is leading on in Technology.
Other areas highlighted at the POI ARC;
« Appointed Representative/Consumer Duty Project, this is for noting that there is a
risk to the POL leadership team for failure of adherence.
e Work on the personal due diligence required for compliance with the new FCA AR
regime continues to prove problematic with several returns from POL Senior
Managers being outstanding. Bank of Ireland has written to POL to note that this is
of concern.
1
a
. Group Strategy & Transformation: Following discussions with the Head of Change Risk
Assurance, there appears to be a lack of visibility around the key programme risks
presented to the RCC and ARC. Appendix 3 provides an overview of the key programme
(Platinum & Gold projects) risks scored 16 and above. Change Risk & Assurance continue
to escalate programme risks, map dependencies (with the caveat that SPM & RTP are being
worked on to identify and define dependencies) and perform scheduled PIR assessments
(Belfast exit is concluding and Copper-Stop-Sell is underway).
Recommendation: To ensure clear lines of accountability in reporting methods, the Central
Risk team recommend that the Change Risk Assurance team are invited to the September
ARC to provide a deep dive of Platinum and Gold project risks.
Conclusion
12. Engagement of the business with the Central Risk team is increasing and improving. We
are seeing a positive change in the first line approach to risk management.
Next Steps & Timelines
13.“Deep Dive” risk review with Group People, Group General Counsel, Group Commercial and
Group Strategy & Transformation.
Confidential
POL ARC Meeting-10/07/23 39 of 111
UKG100044335
UKG100044335
Tab 4.1 Risk Report & Dashboard
Post Office Limited - Document Classification: INTERNAL
Appendix 1 - Top 10 risks for June
- Enterprise Risk: RAG status relates to the High, Medium or Low scoring Enterprise risk - the score is assessed
using the roll-up of Intermediate risks.
- Overall risks remain stable, however dependant on decisions and funding allocated over the next couple of
months we could see a change in trend as the likelihood of risks increase.
recently been revised, the next risk assessment wll allow trends to be tracked. Rebulcing Trust
MITIGATION tobe I Transforming Technology
Funcing to be secured and where necessary increased. This relates tomultiple areas inckcing: I agreed
Historical Matters funcing for settlement related activity
[Network Subsidy Payments
Investment funding to cover strategic priorities and other recuirements as deemee! necessary
+ Adequate accesso liquieity through the Working Capital Facilty
(going concern}
(8:3) Tom Lee
«0022853
REVIEW DATE
September 2023
2 I tient Breach of Security I N/A I Change to risk posture has not been tracked this periog, thisis due Intermediate finance risks have I Appetite/ I Improving Branch Proftablity
iss) recently been revised, the next risk assessment wil allow trends to be tracked. Tolerance I Rebuilcng Trust
MITGATION tobe I Transforming Technology
Lee RKOO2I854 + Obtaina security headroom waiver from O8T agreed
‘+ Obtain aeitional funding from BT
‘+ Halt spending on none BAU activity to ceay impact,
REVIEW DATE
September 2023,
3 I Gees Breach of Faciity I N/A I Change to risk posture has not beon tracked ths perio, ths is due intermediate finance risks have I Appetite/ I Improving Branch Proftabilty
ina) Headroom (3:4) Tom recently been revised, the next risk assessment wil allow trends to be tracked. Tolerance I Rebuilcing Trust
Lee RKOD22855 MITIGATION tobe I Transforming Technology
“+ Obtain an extension tothe WCF from DBT (extension of size and usage ie. what itcanbe used I agreed
‘
‘+ Obtain additional funding from O8T
‘+ Halt spending on none BAU activity or pull other levers suchas delayed client payments to delay
impact
REVIEW DATE
September 2023,
8 one HMU funding end I N/A I Change to risk posture has not been tracked this periog, ths is due Intermediate finance risks have I Appetite/ I Improving Branch proftablty
ibe ‘expenditure recently been revised, the next risk assessment wil allow trends to be tracked. Tolerance I Rebuilcng Trust
corporation tax MIMATION tobe I Transforming techaology
treatment (3:3) Tom ‘+ Funcing ill need tobe sought from OBTin respect ofthese. DBT are aware, agreed
Lee RKOD21855 REVIEW DATE
September 2023,
ae
: pees
Inability ode, Tikisstabe ebuiing Trust
ivestat ad The team continu to operate several BAU processes aed to postmaster okky and pocesea
internal osuane,
mmmGaTIoN
orentctlon Correction ad Rew and Dp dts now kived oth RM's and AM s ach
feoon1752 {din per to tat a convertion wth the estos about Supper egired ne
«Branch crepency Improvement Programme Witte, Detaled action anand timescales to
be deveec bythe eno ne fing which progress against te ations wl e manages
wi the pope povermance emeort th trl repatingbecktoe RCC & ARS
Reta path clearing atv to support network readiness for NBT allot wl rove 2
Coupee ew of newer heath and erate a eet f POL expectations seu bench
Compliance to back proceses Ts closely Ind to poet above
rev the deison about how we ecver tes (cuding auto ded rom em oncethe end
Toren crepancy review programme ls complete na we have knplementec provements
there spleable
rewew one
Setar 2023
6 Unable to prevent I Stable I skis stable
Cyberattacks (4:4) MIMGATION
Dean Bessell ‘ayer security maturity programme is being designed and developed. Initial funeing has boon
0022056 ‘spprovee for this progremme to commence which wil focus on ¢ numberof key orebs: hetive
Directory Backup, Back Up Strategy, Group Website review, Enhanced reporting for vulnerability
‘management, Ransomare protective tooling, Aditional Supplir Assurance, Atlassian ane GitHub
Feview, POL Talore ransomware playbooks.
REVIEW DATE
October 2023
7 Inability to recover I Stable I Rskis table
from 2 Cyber attack MITIGATION
(43) Dean Bessel + Planning the inclusion of a CMDB (Configuration Management Database) as part ofthe wider
*RK0021055 funding request.
Talloring the Operational and Executive playbooks tothem more specifi to Post Offic.
Continue to work through our DR testing calendar and this year we have alrezcy executed inthe
region of 34 DR tests
+ planning 2 major cesktop exercise with Fujitsu
REVIEW DATE
October 2023
“Transforming Technology
‘Transforming Technology
Confidential
40 of 111 POL ARC Meeting-10/07/23
UKG100044335
UKG100044335
Tab 4.1 Risk Report & Dashboard
Post Office Limited - Document Classification: INTERNAL
Bt Moron serthe marion
coment Fut Dey erat an xk &rantion Manager Contactor CRF ors nousorced
comet east) ‘upper V'shavebeunrecaed nhl par cars an approach opto wil be
Simon Oral pretend ty Bord)
sxon1052 «Gente on Et TrartionReaémap inorerto erie an acceleration of the xt ofthe
orton Arement on od pening Bead)
+ Governance Maceo Ext &ronstion planing Hok’ pending ly Board
‘ternotve options for Horzor suppor (oth or Dat Centre an beater contracted
tervce tobe epored ond cont/rals gone for submission tol Board
review DATE
agut2023
Tabi toSuppow I Sable I Rak sabe Tanfain ering
SMartain mmganon
Siemens of natant Fortean projet bing mobile ths projec wi focus netic Rems that are
orton aga Fost and eauve muator/apne tlrshPopomme 3 (so noun 0 Dsscente
Plater Son Forteston] now sope od nce foal em ates ay il for sere cotnuty,
Okina 3) Detaled progrome plano betoseines by 246/23
roo20077 + OngongFevew of £05 reaster to deterineaproachon 9 camponet hy componet basis
bang menaged we Horo Wrhtecture & Secty tems (ay Rush & Desa Be
+ icine wound sproachto Oreck suport & potenti Upgrade ongoing wl be
presente to POL Board ny
seview are
Regut 2023
Toncomptarce I TrcaseaI Rk has meressed de to sr ecatve level af DEAR Tobe sponded twin aay Been baling Tat
wan ovte the cee levels gation ae ng reviewed fades th reqs,
Protection an mmcanon
‘guidelines. ‘+ Team resource being managed
Samora (4) < Taamere peranced wi high nad of now. Procesiet npc to entre adherence
won 5 Aachtonal source of ce 4 people curenty beng ered to sport the DSA request
pevew bate
2 wee reve Inpace
Appendix 2 - Policy Exceptions
Risk a Risk Risk Business
No bar Exception Title ‘came End Date Extension in review: Entity Policy Name Policy Owner
Counter Pilot R1 does not adhere nn 1 octob
t0 POL Access Control Standards Gareth ossbfe extension until October I granch & Digital Zéravko Cyber and Information
1 RKOO21651 exception ‘Clark 31/3/2023 when R1 will be decommissioned, Engineering Mladenov Security Policy Dean Bessel
awaiting response from Royal Mail
Unknown levels of Security for aa
2 ReoO21580Paralls software REN EXCAS 02. I 9 12/05/2022 Extension dscusionsarein progress Branch & Digtal 2éravko Cyber and Information be gessell
Engineering Mladenov Security Policy
Counter Plot Ri sreen lock Risk ea Possible extension until October 1 and tor
3 RKOORIAS Gat’ $ 313/2023 when RL wile decommisioned, OTe ean ee Deans
i awaiting response from Royal Mail weneering ia
Counter Pilot Ri enabling a5
; Possible extension until October
Developer Mode on Production
4 mocaes20eeemeModeonFeduton Garth 5 asryaca3 yen fiwbe dconmisond, SP &DBL! Zanho, Cpe aFOMIEEY oes gee
ces risk exception I awaiting response from Royal Mal E@eeFing_ Mladenov_Securty Policy
IT Security Controls not fully od
evidenced for go-live PEN (POA Darren I, Martin Gyberand information
5 RKO0218645 sjacoments) Mullen “8 30/09/2023 N/A Supply Chain ports security Policy Dean Bessell
Medium vlnerabiites found ig Cyber and information
during pen esting not resolved Darren ¢ Marin Security Policy
6 RKOOZL865,.- gouve PEN PDA replacement Mullen © 27/08/2023 N/A Supply Chain Roberts Vulnerability Dean Bessel
Fis] Management
GE Policy Sponsor
Dan inner
Product Tim Melnnes ~
Partner Bank Failure to undertake = unt i
7 Rk0021831, Greg TSC-untl ia Portfolio-Banking jOWe® Business Change standard Owner
testing for PIN deposits Lewis I # I deployment Woodley Manager oliyv2.3
& Payments Saira Burwood -
standard
Implerenter
6
Confidential
POL ARC Meeting-10/07/23 41 of 111
UKG100044335
UKG100044335
Tab 4.1 Risk Report & Dashboard
Post Office Limited - Document Classification: INTERNAL ©
Appendix 3 - Gold & Platinum project risks
Risk Summary (Risks >16)
Sort deihotin ores I Cat Promenty Tart Risk Gatertte Fk
ee
Confidential
42 of 111 POL ARC Meeting-10/07/23
UKG100044335
UKGI00044335
Tab 4.2 Compliance Report
OST
KOFFICE
POST OFFICE LIMITED
AUDIT, RISK AND COMPLIANCE COMMITTEE REPORT
I Title: Group Compliance Update Meeting Date: I 10th July 2023
I Author: Jonathan Hill, Compliance Director Sponsor: Ben Foat, Group General Counsel
Input Sought: Noting
The Committee is asked to:
Note the Group Compliance update, particularly:
° The changes made to the FOI reporting processes and SteerCo following the discovery &
disclosure of documentation containing racist language
e The impact on the GLO Compensation scheme and the receipt of 358 DSARs.
° Mandatory training completion rates.
POL Compliance Status/Overview
“Please note Group Compliance does not oversee all areas of the business.
1. The areas in which we continue to identify potential and emerging risks are:
a. Data Protection / Information Rights
Data Protection Breach in Response to a Rule 9 Request
On 15" May 2023, the Post Office Horizon IT Inquiry (the "Inquiry") issued a Rule 9 request to Post
Office Limited (“POL”), which sought confirmation of whether 188 documents that had previously been
disclosed by POL as relevant to certain custodians (pursuant to a Rule 9 request issued on 15" June
2022) were in fact relevant to those custodians. Following a review by POL’s external criminal legal
advisors, Peters & Peters (“P&P”), we clarified that 175 of the 188 documents were not relevant and
were inadvertently included. They were not reviewed due to the truncated process agreed through
POL's internal governance process and agreed with the Inquiry.
Based on an assessment of the risk caused by this chain of events it was determined that this met
the threshold of a notifiable breach and the Information Commissioner's Office (“ICO”) was informed
on 224 May 2023. POL sent a response on 9" June 2023 to questions raised by the ICO; the ICO
subsequently confirmed on 13" June 2023 that, based on the prompt action taken to remove the
documents from the Inquiry’s Core Participant e-disclosure platform, no further action is necessary
on this occasion. POL has an adverse appetite to non-compliance with regulatory and legal
obligations.
There were no mandated actions in the ICO’s response on 13" June 2023, although
recommendations (e.g., ensuring adherence to processes, effective due diligence prior to disclosure
and early breach detection) are in fact already in place. As reported, the issue here was that due to
the urgency of the Rule 9 request the usual Due Diligence was not undertaken. Dispensation was
granted by the HRC to relax the normal process due to the volumes of data and the timeframe for the
specific Rule 9 request. Going forward the proposal from Compliance would be that no dispensation
should be given unless there is a compelling reason to do so,
CONFIDENTIAL Page 1 of 6
POL ARC Meeting-10/07/23 43 of 111
UKG100044335
UKG100044335
Tab 4.2 Compliance Report
The Hard Copy Index
It was previously reported that there were concerns regarding the accuracy of Q&A ran by Oasis of
the indexing programme.
commendations for next steps for Phases V were presented and agreed al
e POL will reindex Phases III & IV, followed by a Quality Assurance exercise
e Tolerance level for any future errors: HMC noted that the Assurance Director was content with a
tolerance level of 3% for material errors which could impact retrievability and, 15% for non-
material errors which would not impact retrievability. However, given
mm, HMC agreed with the DPO suggestion and recommended to adopt a 1-3% tolerance
rate for material errors and for POL to then take a decision thereafter based on how errors were
contextualised
e Budget & resource is being secured for the work, after which timelines will be finalised
e It is anticipated that work will commence early July, with timeframes to be finalised and shared
by means of verbal update to the RCC
e Updated indexing will be shared with Law Firms on a regular basis, during the re-indexing
exercise
FOI requests & DSARs
The number of FOI requests remains at a high level and this is likely to continue and increase given
the next phase of the Inquiry commencing in July. At the time of compiling this report (13/06) there
were 44 open cases of which at least 38 directly or indirectly relate to the Horizon Inquiry.
POL recently responded to an FOI request for the release of Security Documents that contained
inappropriate and racist terminology. This request followed the process set out for internal
consultation prior to disclosures following normal governance procedures. However, given the
sensitivities of some FOI requests, changes to the FOI process, particularly reporting and changes to
the FOI SteerCo have been made. Please see the brief given to the GE, which is in the Reading
Room.
GLO Scheme
On 29.05.23 we received 307 DSARs from Freeths and shortly afterwards a further 10, requiring us
to provide them with all information held by POL relating to their clients. Since then we have received
several more DSARs from Freeths, bringing the total (as at 30.06.23) to 358. We anticipate that more
will be received.
These DSARs were submitted as Freeths CONFIDENTIAL
CONFIDENTIAL This scheme was established in
recognition that the amount the wrongfully convicted Postmasters received from the GLO settlement,
after having paid their litigation funders and legal fees was less than they could receive going through
other schemes set up by Post Office.
POL, the Department of Business & Trade (“DBT”) and the various law firms acting on behalf of
claimants agreed a process earlier this year to ensure that all claimants received the necessary
information to allow their clients claims to be progressed by the law firms acting on their behalf. This
approach followed the same principles as were applied for the HSS scheme.
As the DSARS submitted place a legal obligation on POL these need to be prioritised over support
for the HM teams involved the Compensation Scheme. Also, and critically, we are operationally not
able to process 358 DSARs within the statutory timescales. The systems we have and the amount
of data to be reviewed for each DSAR means that it is estimated it could take us over a year to process
them, even if we recruited a large team to do the work.
CONFIDENTIAL
44 of 111 POL ARC Meeting-10/07/23
UKG100044335
UKG100044335
Tab 4.2 Compliance Report
Although a fine from the ICO, whilst possible, is considered unlikely given POL’s commitment to
dealing with the DSARS and the Information Commissioner's commitment not to fine publicly funded
organisations given the strain on public finances. POL can expect to be reprimanded by the ICO and
other sanctions such as enforced audits leading to POL being heavily criticised in the media for
“failing” to provide data needed to support wrongfully convicted postmasters.
We, a with Historical Matters, are a with DBT on this. DBT are in contact with Freeths
In the meantime, we are looking at recruiting a team to support the DSARs in case they are not
withdrawn and have advised DBT that this needs to be at their cost.
Risks
Unless Freeths withdraw their DSARs the implications of this situation are:
. First and foremost, it will seriously delay the process to provide sufficient compensation to
postmaster claimants;
° We are working on recruiting 10 contractors to help support processing the DSARs, which
we are asking DBT to fund. However, even with these roles in place, POL will not meet
its statutory timescale obligations for processing DSARs,
° DBT is hoping Freeths will withdraw the DSARs so that these roles are not needed;
. Secondly, a: CONFIDENTIAL
CONFIDENTIAL Recently the ICO has indicated that it will not impose fines on
HMG-funded organisations as this would be taking funding from those organisations and
handing it back to the Treasury, which would be counterproductive. We are obtaining legal
advice on this risk;
. Thirdly, it is anticipated that the legal representatives of other GLO Compensation scheme
claimants will submit DSARs for their clients, resulting in over circa 400 DSARs being received,
with the commensurate impact on timelines;
. Also, we can expect to be heavily criticised in the media for “failing” to provide data needed to
support wrongfully convicted postmasters;
. Lastly, because we have to support the 358 DSARs, we will have to prioritise these over
anything that is not essential and not related to the Inquiry, HM, NBIT and on-going
investigations/incidents.
Next steps
1. Unless and until the DSARs are withdrawn we will continue to prioritise these over anything that
is not essential and not related to the Inquiry, HM, NBIT and on-going investigations/incidents.
We will look to prioritise the elements of the DSARs that would enable the GLO scheme to
progress the claims.
° Approximately 10 of the 18 DSARs lines of data are required to support Compensation
claims;
° The remaining 8 are complex/voluminous and in POL’s opinion and agreed by claimants’
law firms are not required to support the Compensation scheme claims;
° It is estimated that 1 of the 8 lines (Audit Record Query (“ARQ”), held by Fujitsu) would
cost approximately £11m and we have no cost cap as we do for FOls
2. We have contacted the ICO to advise them informally of the situation. We are planning to submit
a notice to the ICO early next week, requesting a meeting.
CONFIDENTIAL
POL ARC Meeting-10/07/23 45 of 111
UKG100044335
UKG100044335
Tab 4.2 Compliance Report
3. We are working on recruiting 10 contractors to help support processing the DSARs, which we
are asking DBT to fund. However, even with these roles in place, CONFIDENTIAL I
CONFIDENTIAL
b. Financial Crime/AML/ABC
The Fit and Proper Remediation Prove Case approval was obtained on 24'" May 2023. A Project
Manager and Business Analyst have been appointed and a review of the systems and issues has
been undertaken. A proposal has been drafted to implement a phased approach, and if agreed,
phase 1 will deliver process improvements and quick wins by December 2023.
The annual re-assessment of POL’s medium-high risk Travel Money service has identified a marginal
improvement in some controls and corresponding reduction in the residual risk. The level of unusual
and suspicious activity has increased in line with sales growth but levels of non-conformance at point
of sale have increased at a higher level (splitting transactions to circumvent ID capture limits, and
knowingly serving customers not eligible for the product). We are working with the Network and
Product teams to deploy communication and awareness. There is a current Prove Case to replace
the Travel Money EKYC service from Digidentity with a service from Yoti as the contract expires in
October 2023.
Update on William Hill fine (ARC 28.03.23 action 9)
. In March 2023 William Hill Group was fined £19.2m by the Gambling Commission for social
responsibility and anti-money laundering failures.
. The vast majority of issues related to failures to protect vulnerable customers from harm through
uncontrolled losses. AML failings related in the main to inappropriately training staff on risks
and how to manage them, failing to undertake appropriate due diligence and account
monitoring, weaknesses in policies, procedures and controls relating to the appropriate action
to take following the results of customer profiling and lack of hard stops to prevent further spend
and mitigate against money laundering risks before customer risk profiling was completed.
. The William Hill AML failures are not applicable to any Post Office activity and cannot be
associated to banking cash deposits transacted at Post Office under the Banking Framework,
as regulatory responsibility for due diligence, account monitoring, customer profiling and
account blocking rests entirely with the account holding banks. The only potential flow through
could be in relation to AML training, but Post Office does undertake training for all employees,
Postmasters and their staff on risks and red flags and the correct procedures to be followed,
and this training is regularly reviewed and updated in line with current threats.
. As banks roll out their deposit limits, the risk of splitting transactions to avoid transaction limits
declines; further attempts to deposit are likely to hit cumulative deposit limits. However, the risk
of laundering over Post Office counters is still high due to the amount of cash deposited and the
use of mules and couriers who are able to deposit funds across multiple accounts and multiple
Post Office locations.
The UK Government's Economic Crime Plan 2 sets out the government's priorities in tackling financial
crime over the next three years. It is underpinned by £400 million of investment - a £200 million
government investment and £200 million from the Economic Crime Levy.
. It has been determined that both POI and POL will have to pay the new Economic Crime Levy
— POI will pa to the FCA and POL will pay
The Plan acts as an overarching document for the UK’s Fraud Strategy and alongside a new Anti-
Corruption Strategy, which is yet to be published. The three key aims are:
. Reducing money laundering and recovering more criminal assets
. Combatting kleptocracy and driving down sanction’s evasion
. Cutting fraud
CONFIDENTIAL
46 of 111 POL ARC Meeting-10/07/23
UKG100044335
UKGI00044335
Tab 4.2 Compliance Report
®
The largest impact to Post Office is likely to be the new ‘failure to prevent’ fraud offence aimed at
preventing corporate misconduct in large organisations. As Post Office Limited is wholly owned by
the UK Government and is subject to increased scrutiny and approval for significant decisions, the
risk rating is expected to be low. The additional impacts are likely to be dependent on Post Office’s
exposure to law enforcement activity; the creation of new investigation cells and renewed enforcement
focus and appetite to disrupt organised criminal groups’ money laundering methods may identify new
or emerging risks occurring at Post Office counters over the next 3 years (further information on ECP2
is included in the Reading Room).
c. Financial Services
In April 24% of mystery shops were graded red. An improvement has been seen in Over 50’s and
Travel Insurance as compared to Q4. Over 50’s 10.5% in April, 15% in Q4. Travel Insurance 24.3%
in April, 33.5% in Q4. However, there is an overall increase in red grades in April 24%, 21.8% in Q4.
This is attributed to Savings that has increased from 13.6% to 27.9%. The main reason being
summary boxes not being provided with an application form. Investigations are being carried out to
identify the root cause of this sudden uplift.
d. Mandatory Compliance Completion Rates at 12.06.2023
The following business functions are currently below target for completion of mandatory compliance
modules against the agreed KPI of 95%.
9 out of 10 business areas have not achieved 95% for AML training which closed on 22" May 2023
and 3 areas have not reached 95% for GLO training.
We are working with L&D to see if we can establish formal consequences for non-completion and for
these to be added to the PDR / bonus process.
CONFIDENTIAL
POL ARC Meeting-10/07/23 47 of 111
UKG100044335
UKG100044335
‘Tab 4.2 Compliance Report
Appendix 1 - Status of Group Compliance Activities
The table below provides a status of 2022/23 Group Compliance Activities:
‘Activity 2022/23 Status of Current ‘Comments:
Group Compliance Activites I “Greup I Assurance
Comptance I “Revue
acteties
Group Policy Assurance 15 policy reviews are due between I pausen PAUSED I Group policies annual renewal cycles being met in majority of cases.
Group Policy Assurance Sept 2022 and March 2023 ¥ ‘0
— = TAVT2 poRGas aera ove age. Te poiiesreviowsd are TTT Puro
Posmasier Paley Asurance I Revew 12 PM Polces by 31 @ _I fmmowomens re needed novesgni ana governance conve sandra a
consent pony adheres,
In April 37 branches were graded red 24%. The new simplified branch travel insurance
journey was implemented in March and shopping recommenced in Apri. This has shown
FS Muslery Shopoin €200 shops per month are planned @ __Rimprovementin esus whore 24.3% wore gradad red as compared to 316% in Feb,
ES Mystery Shopping for the rest of 22/23 (excl. Dec) > 35.4% in Jan, 47.2% in Nov and 44.7% in Oct. As the new joumey beds in we should
expect to see a further improvement in the coming months.
POL management and control over hard copy data continues to remain a significant risk
Data Protection and Accountability Framework planned @ _ ard enexposure (rom an Inquiy and GDPR perspective).
Information Rights actions for 2022 *
Travel Money, Drop and Go, Credit Gard, ABC (POL, POI, PZBP) re-assessed with no
6 Risk assessments completed, 6 significant findings. ATM risk assessment is to be finalised imminently, 6 assessments
Financial Crime assessments postponed (surance), I gy I Telating to insurance products have been postponed in Q1 23/24, due to product owners
4 assessments In progress. in Qt ~' I not completing PIPs on time - extension has been agreed until mid-June. Banking cash
2023 withdrawals will be complete as part of the Q1 cohort. New products/changes are
proce wn eontnued fulton landstape monte fr ero fa,
asuatos gab nian Sorel Santas ras Orbe Sos © eegeeg BODES
Quaneny ok c S eon
cinancil Chime Quarry pokey assurance for) @_I Fh8 Proper sgen deta ond corentmanua wortarcunds an cccasonal tapes of GBH
a HMRC rep li ” non-conformance. It should be noted that a Prove Case has been approved to identify a.
Policy. solution to correct the F&P data issues.
2 reviews completed bythe nd of The average resus of Supey Chai asuraoo evens ae sal, erage inproverenl
‘Supply Chain May 2023. Norwich CVIT review was I ¢ © I needs stand at 37 at Mat 2023, whichis an Increase of 0.2 from February 2023. This wil
graded Seriously Adverse - continue to be monitored closely as it is still higher than previously seen.
CONFIDENTIAL Page 6 of 6
48 of 111 POL ARC Meeting-10/07/23,
UKG100044335
UKG100044335
Tab 4.3 Assurance Update
POST OFFICE LIMITED
AUDIT, RISK AND COMPLIANCE COMMITTEE REPORT
Title: Group Assurance Update Meeting Date: 10" July 2023
Author: Anshu Mathur, Group Assurance Sponsor: Ben Foat, Group General Counsel
Input Sought: Noting/Approval
The Committee is asked to note the Group Assurance update, particularly:
e Historical Matters Assurance progress, key risk themes and opinions
e Outcomes of other assurance reviews:
o Postmaster Policy Reviews
o NBIT Business Requirements - Legal and Regulatory
Group Assurance - Status / Overview
1. Historical Matters Assurance* - Status and outcomes
as previously presented to ARC - ‘Historical Matters’ Assurance covers Schemes, IDG (HIJ/CW), Inquiry, Control Framework.
In the period since the last ARC considerable progress has been made in moving the Historical
Assurance Plan forward and many elements of the plan are either completed or now in draft
reporting stage. Please refer to Appendix 1 for the status of Assurance activities.
Key findings from our assurance review are summarised below:
a. Common Issue Judgements (ClJ 1 to 9) — Draft Reportin:
As the ARC is aware, our review applied a critical lens to the evidence provided by the Retail
Team, to assess its sustainability and whether any further risks or areas of improvement
existed from a Postmaster (PM) lens to prevent detriment and ensure appropriate oversight.
A number of challenges had to be overcome and considerable time invested with the Retail
team prior and during the review, this however has resulted in the following benefits for POL:
e Asingle ClJ universe of actions, with clear ownership and articulation of risks.
e Acentral repository of evidence, including links to sites, clearly tagged to ClJ:
o 1,594 evidence items, and access to 53 live sites (containing policies, processes,
documents, MI, and access to live systems such as Power BI Dashboards).
o This should now be used for continuous assurance and support Inquiry preparation.
Preliminary opinion (DRAFT)
For all 9 ClJ areas we have issued Final Draft reports to the Retail team. Therefore, subject to
a final assurance internal review, the key thematic(s) are summarised below:
e 97% of the actions have been completed and evidence exists to demonstrate this.
That said, and as mentioned above, our review has gone beyond the evidence, to review with
a critical lens whether the actions are sustainable, can demonstrate or track the impacts on
PMs, and where applicable, there is appropriate oversight and governance.
With this context we have identified a number of significant improvement opportunities:
e Mi, Dashboards and Reporting (thematic)
e Whilst the Retail Team have considerable data, MI, and dashboards it is
particularly challenging to assess (on an E2E basis) the overall impact on PMs.
«It is unclear how KRI’s, KPI’s and exceptions are tracked holistically or triggered
for escalations to ensure timely visibility, and appropriate governance.
POL ARC Meeting-10/07/23 49 of 111
UKG100044335
UKG100044335
Tab 4.3 Assurance Update
Whilst the GE receive on a regular basis a ClJ dashboard, this in our opinion
requires a revamp and should be created with a E2E view of the PM journeys or
akin to a balanced scorecard that many consumer facing organisations have to
measure their impact and protection of consumers.
e Root Cause Analysis (thematic)
« Whilst causes or buckets of errors is captured for Transaction Corrections, root
cause analysis is not currently used and or reported to support understanding of
why issues/errors are occurring. Outcomes of this type of analysis should also be
used to improve PM training and support.
e uality Assurance (QA)
« QA processes are being used/introduced to various teams within Retail such as
Branch Assurance, Transaction Corrections and Disputes, this is a positive step to
provide assurance on activities completed by these teams. Consideration should
be given to how QA (status and outcomes) are monitored.
e Scripts have been introduced to ensure a consistent approach to contact with
PMs, and a call recording system has been implemented allowing call monitoring
to take place. However, in some instances, calls made via mobile phones cannot
be recorded (or logged) and therefore not able to be monitored.
« PM Suspension payments are calculated by Finance however these are not
independently checked to ensure the accuracy and or completeness of the
Remuneration components.
e Loss Recovery and Investigations
e For losses that have been investigated and found to be genuine losses, POL is
treating PMs differently. Some PMs who are not engaging with POL are not
repaying them whilst other PMs who do engage with POL are repaying losses.
« Additionally, discrepancy cases identified following Branch Assurance reviews are
not prioritised for investigation, not prioritising cases may mean PM suspension
periods are extended unreasonably.
¢ Other Thematics
« Astandardised approach to document control (incl. version control) needs to be
adopted across the Retail team to ensure POL can demonstrate changes (or no
changes) and evolutions to key processes and procedures.
e Postmaster Support policies — No consistent or effective approach currently exists
to monitor or assess the effectiveness or levels of compliance to Postmaster
policies.
At an individual ClJ level our DRAFT assurance ratings, using the Internal Audit scale, are
summarised in Appendix 2.
b. Speak Up Review — Draft Reporting
Group Assurance performed a review of Post Office’s Speak Up function's (previously known
as Whistleblowing) processes and procedures to assess the robustness of their control
environment.
The Speak Up team was established approximately 18 months ago and during this period, the
team have invested heavily in reviewing and updating processes and procedures and have
also introduced monitoring dashboards for Speak Up which is reported to Group Executives
and Board members monthly.
Whilst being a relatively new team, they are embedding robust processes and procedures,
and have a culture of continuous improvement.
2
Strictly Confidential
50 of 114 POL ARC Meeting-10/07/23
UKG100044335
UKGI00044335
Tab 4.3 Assurance Update
Consequently, our draft opinion is that the overall control environment is Satisfactory.
c. Postmaster Detriment — Pot A Suspension Payments - Completed
This review was initiated at the explicit request of the Historical Matters Director who identified
a potential risk in connection with accuracy of suspension payments.
The Assurance Team performed a desk top review of the Historical Matters Suspension
Payment Processes and performed a walkthrough on three Suspension Payments to assess
the effectiveness of controls.
Our review identified that there are significant gaps and weaknesses in the design of the
Historical Matters Suspension Payment Processes whereby completeness, accuracy and or
reasonableness of Suspension Payments cannot be assured.
Consequently, our assurance review rates the ‘Historical Matters Suspension Process’ as
Unsatisfactory.
The findings from our review and areas of high residual risk have been discussed with the
Historical Matters Director, who will present and share remediation steps needed with HRC.
d. Inquiry- Fieldwork
Assurance of the Inquiry workstream remains in fieldwork as the legacy control environment
for Rule 9 requests has gaps (currently unable to demonstrate Rule 9 completeness and
accuracy) which the Inquiry team are working to address with the support of HSF. To be
revisited mid July 2023.
The Inquiry team are now finalising new processes and procedures for Rule 9 requests, which
the assurance team will review to ensure there are no gaps.
It is anticipated that assurance work will recommence mid-late July, sampling more recent
Rule 9's, to ensure the new ways of working have been embedded.
e. HSS/Stamp Stock (Fieldwork and Completed respectively)
Asample of HSS claims have been reviewed and initial feedback provided to the HSS and HM
Governance team. A further claim remains to be reviewed before a draft report is issued. The
main themes of the findings are in relation to the number of duplicate documents and
documents that do not have relevance to the history of the claim.
The Stamp Stock Scheme final report has been issued to key business stakeholders. Overall
good levels of conformance to processes were found.
2. Other Assurance Reviews
a. Postmaster Policy Compliance Reviews — Draft Reporting
The key thematics emerging from these reviews are:
e The policies themselves are fit for purpose, however significant improvements would
be needed to demonstrate compliance, in areas such as:
o Policy monitoring and oversight.
o KPl and or KRis
o Clearer articulation, assessment, and monitoring of key controls
Whilst there is a close alignment with ClJ reviews, and we have aligned both reviews where
possible, the Committee should be aware the approach of the Postmaster policy reviews was
fundamentally more myopic and did not apply a E2E view of the POL universe.
The Retail team are reviewing the reports and are targeting end July to provide comments.
Please refer to Appendix 3 for a breakdown of the PM Policy Compliance reviews.
b. NBIT Business Requirements — Completed
3
Strictly Confidential
POL ARC Meeting-10/07/23 51 of 111
Tab 4.3 Assurance Update
52 of 114
The objective of the assurance review was to assess whether business requirements (from a
legal and regulatory perspective) have been captured and documented accurately. Our review
sampled 8 key requirements across Release 2 and Release 3.
Our findings are summarised below:
e Release 2 —- Banking Framework Services sample selected demonstrated that clear
and precise business requirements have been documented consistently, and this was
reflected in Epics and User Stories.
e Release 3 - Improvement opportunities identified — Whilst Travel Money Service, at
the time of the review was work in progress and had not been fully developed, the
review identified that the product requirements had not been accurately or fully
captured.
A consistent approach on capturing business requirements has not been implemented
between the two releases. In relation to R3 the requirements are captured across Jira via a
combination of process flows, EPIC and User Stories, which makes identifying and ensuring
accuracy of the requirements extremely challenging and therefore raises the inherent risk of
error or inability to assess completeness/accuracy of business requirements.
NBIT have now appointing EY to perform a deeper review of business requirements for R2.
Pause Payments ~ Outstanding Balances - Completed
The process used by the HM Legal team to complete and document their assessment to
continue recoveries of losses for 21 cases involving PMs is very methodical with good file
structures and a clear application of logic to categorise the risk classifications.
That said our review has highlighted the following risks that management need to carefully
consider prior to assessing whether recoveries should continue or be paused:
e It is unclear whether the POL individuals involved in these cases (audit, investigation,
and security teams) and the processes and practices they adopted (dates range from
2006 to 2020) were similar to those that led to incorrect historical convictions.
e The level of documentation varied for the cases reviewed, in two cases (both CCJ)
there was significantly less documentation.
CONFIDENTIAL
CONFIDENTIAL
A verbal update will be provided on the HMC’'s decision to continue or suspend such
recoveries from PMs.
Strictly Confidential
POL ARC Meeting-10/07/23
UKG100044335
UKG100044335
UKG100044335
UKG100044335
Tab 4.3 Assurance Update
Appendix 1 - Status of Assurance Activities at 29 June 2023
Area Status Update
PM Detriment POT A Assurance review completed, report issued to HM Director 16/6/23 — Affirms the HM Directors significant
‘Suspension Payments I Complete ‘concerns on accuracy and completeness of payments.
‘Stamp Scheme Complete Report Issued 18/5/23, overall good levels of conformance.
NBIT Business Complete Identifying and ensuring accuracy of business requirements is challenging and therefore raises the inherent
Requirements Pl risk of error or inability to assess completeness/accuracy of requirements.
Pause Payments — Complete ‘Our review highlighted that there is significant risk for POL in continuing to recover outstanding balances from
Outstanding Balances La Postmaster for 21 cases range between 2006 and 2020.
cu Draft Report —_I Final Draft summaries issued to the Retail team. ~ Expected mid July 2023,
9 Draft Reports _I Policy Assurance fieldwork is now complete and 9 PM Policy Review Draft Reports have been issued to the
Postmaster Policies business for response — Expected mid July 2023.
3 Reporting
‘Speak Up Draft Report —_I Assurance review completed; final draft report issued to Head of CIU — Expected end June 2023
Investigations (CIU) Draft Report _I Assurance fieldwork has completed, draft report issued to CIU. Expected mid July 2023,
Shortfall Scheme Fieldwork Work in progress and a draft report to be issued by early July 2023.
Inquiry Fieldwork ‘Awaiting further information from Inquiry Team to enable completion of review by mid July 2023,
CF- Tech Change On Hold Zhe Technology team has completed malory ofthe work; blocker I the Assurance Directors capacty to
HW Suspended HL raview is curarily unpended. Preliminary observations have been shared wah the Horizon and GLO
rector. Formal draft not issued. Next steps TBC.
OHC/ PM Detriment Targeting to commence fieldwork in July/August 2023.
POL ARC Meeting-10/07/23, 53 of 111
UKG100044335
UKG100044335
Tab 4.3 Assurance Update
Appendix 2 - Summary of ClJ — Assurance outcomes (Inquiry lens)
‘ClJ 1 (Onboading) & ClJ 9 (Culture & Comms)
*ClJ 3 (Audits - now known as Branch Assurance)
*ClJ 4 (Shortfalls)
-I*ClJ 6 (TC & Disputes)
_ *ClJ 7 (Suspensions)
*ClJ 8 (Terminations
Unsatisfactory, I-C 2 (Training) & Clu 5 (Loss Prevention)
54 of 114 POL ARC Meeting-10/07/23
UKG100044335
UKG100044335
Tab 4.3 Assurance Update
DRAFT
Appendix 3 - Assurance Postmaster Policy Compliance Reviews - DRAFT STATUS
[Network monitoring.
Transaction correction
‘Account support
‘Account dispute resolution
Decision review
‘Summary
I
management
Onboarding
Training
Network and Cash
‘Overall policy rating er aT ee
Is risk adequately identified? fa
Is the risk appetite correctly identified?
Are the key personnel correctly
identified?
‘Are reported minimum controls actually I __
controls? fo
‘What are the key controls?
Draft Report not issued
What ere the key metrics / KPI's?
Te the process / procedure correctly
articulated?
Does the evidence show the policy is i
working?
Given the above, can webe surethe I
pollcy is fit for purpose?
Scale: [J] - Satisfactory
POL ARC Meeting- 10/07/23 55 of 111
Tab 4.4 Internal Audit Report
AUDIT, RISK AND COMPLIANCE COMMITTEE REPORT
@
POST OFFICE LIMITED
UKG100044335
UKGI00044335
56 of 114
Title: Internal Audit Report Meeting Date: I 10" July 2023
. Johann Appel - Director of Internal . .
Author: I qudit & Risk Management Sponsor: Al Cameron - CFO
Input Sought: Noting
The Committee is asked to:
i. Note the audit results for 2022/23 and internal control themes identified;
ji. Note the turnaround time for internal audit reports;
iii. I Note the progress being made with delivery of the internal audit programme and
completion of audit actions.
Executive Summary
This paper provides a summary of the internal audit results and control themes, as well as the
performance against reporting SLA for 2022/23. We also provide an update on the progress of
the 2023/24 internal audit programme and completion of audit actions.
Key Messages
« Control Themes: The top three control themes for 2022/23 have remained the same, with
a notable increase in findings around change delivery. The control environment for non-
change activities appear to have remained stable.
e Report Clearance: The time taken to clear audit reports have worsened from 20 days to
31 days against the SLA target of 20 days. It took an average of 56 days to clear programme
assurance reports. Our assurance activities aim to remediated programme weaknesses in a
timely manner. Delays in finalising reports therefore erode the impact, relevance and the
value of our work.
« Overdue Audit Actions:
The number of overdue audit actions continues to increase,
reflecting the constraints that the business are operating under, with ever increasing
demands, competing priorities and interdependencies.
Confidential
POL ARC Meeting-10/07/23
UKG100044335
UKGI00044335
Tab 4.4 Internal Audit Report
Report
Summary of Audit Results for 2022/23
1. The distribution of audit report ratings for the last three years are shown below. 2022/23
saw audit numbers return to usual levels following the conclusion of additional post-GLO
support reviews requested in 2021/22.
22/23 21/22 20/21
Cl> cr» [>> ® Satisfactory
Needs Improvement
(23 ) (33 J E22 ) Needs Significant Improvement
® Unsatisfactory
Not Rated
2. During 2022/23 we raised 162 actions across 23 audits (compared to 194 actions across
33 audits in 2021/22). The average number of findings per review has increased from six
in 2021/22 to seven in 2022/23. Change audits, which historically have generated a high
number of actions, have moved closer to the mean for the total population, at eight.
Number of Actions and Audits
194
162
130 ne
22 33 23
——$+ 9
20/21 21/22 22/23
—=O=Number of audits =@=Number of actions
3. The split of findings across our three ratings shows little change from last year. The
significant majority of findings are rated Priority 2: ‘weakness in governance, risk
management and control that if unresolved exposes the organisation to a high level of
residual risk’,
22-23
© P3 (Low Priority} - Scope for Improvement
P2 (Medium Priority} - Weakness
© P1 (High Priority} - Significant Weakness
21-22
4. Audit findings were analysed to identify recurring control themes and root causes. The top
five control themes were as follows, with full results in the reading room (appendix 1).
2
Confidential
POL ARC Meeting-10/07/23 57 of 111
UKG100044335
UKG100044335
Tab 4.4 Internal Audit Report
58 of 114
Control Theme (by COSO control components) % of Audit Findings
22/23 21/22
Ast I Change Delivery’: Ineffective change governance, risk management 27%
and tracking/ realisation of benefits. 41%
2nd_ I Control Activities: Internal controls are not deployed through policies, 19%
procedures and systems and / or internal controls are not designed or 19%
operating effectively.
3rd I Information & Communication: Unavailability of relevant, quality 22%
information to support the internal control function and decision 17%
making.
4th I Ineffective identification and/or management of operational fraud and change risk.
6% 5%
5th I Lack of clarity of structure, authority and responsibility
5% 8%
? Change Delivery is not a standard COSO control component, however, these findings are shown separately to avoid distortion
of BAU controls.
5. The key observations of the year-on-year movements in control themes are:
« Change Delivery control issues represent 41% of all audit findings, up from 27%
in 21/22.
« The top three themes are the same as 21/22, although the order has changed.
« Seventy-seven percent of all actions fall into the top three themes (68% in
20/21).
Key messages and our actions
6. The concentration of results in the top three control themes shows the importance of
doing change well, effectively controlling risk and having access to quality
information. Improvements in these areas will have a significant positive impact on the
control environment.
7. The top three themes have remained the same for the past four years. Improvements
are seen in some areas; for example, work to improve the quality of key policies has added
much needed clarity to the policies themselves, as well to who is required to comply.
However, progress is slow. Management must ensure adequate effort is expended to
improve these areas.
8. Change Delivery continues to be the top theme, now with a larger percentage of audit
findings than 21/22. This signals the ongoing challenges of managing a strategic change
portfolio that encompasses critical programmes across the business. Programme alignment
and delivery remains one of the 13 Enterprise risks, which reflects the importance of this
area at a strategic level.
Work to support the NBIT programme in the period generated 44% (35 of 67) of all
change audit actions, with 34% of these rated as P1: Significant Weakness.
Confidential
POL ARC Meeting-10/07/23
UKG100044335
UKGI00044335
Tab 4.4 Internal Audit Report
®
¢ Wewill: continue to provide focused and independent scrutiny of the
NBIT programme.
* We will: seek to work collegiately with programme management,
and will escalate where appropriate to senior stakeholders.
9. The percentage of audit findings relating to ineffective control activities stayed steady
at 19%. This has been a consistent finding for actions across all areas of POL. In the 21/22
themes report we noted activities were underway to address some of the operational
challenges, such as the continuing roll-out of ServiceNow for risk management and controls
monitoring, and the strengthening of key policies. These initiatives are now in place, and
have had a positive impact on the effectiveness of controls across the business. However,
some areas, such as the build-out of a comprehensive control framework, have not
developed at the pace expected, partly due to competing priorities, such as cost reduction
and the resource impact of the Inquiry. Nonetheless, the absence of decline in control
activities reflects well on the continued efforts of the business to maintain a sound control
environment throughout a challenging year.
¢ We will: use our reach to actively promote the development and
integration of POL-wide control frameworks.
10.Unavailability of relevant, quality information showed a small improvement this year.
Although the anticipated investment to fully leverage the data we hold was deferred, the
business has made progress in developing more robust reporting to support decision
making. This theme also refers to occasions where information is available, but MI reported
upwards for monitoring and decision-making is inaccurate, incomplete or inconsistent.
¢ We will: expect management to keep a critical head over MI, to
include regular reviews of the underlying assumptions around the
source, content and interpretation of data used. This will be assessed
as part of our controls testing work.
Audit report turnaround during 2022/23
11.In 2022/23 it took an average of 31 working days from the close of fieldwork to issue the
final report to management. This is an increase of 11 days on our prior year performance.
Our target SLA of 20 days was not met.
Report Turnaround Time in days— year on year
070/71 = 17
2021/22
2022/23
Target SLA = 20 days
Confidential
POL ARC Meeting-10/07/23 59 of 111
UKG100044335
UKG100044335
Tab 4.4 Internal Audit Report
®
12. Further analysis shows that programme assurance reviews took, on average, 2.6 times
longer to clear than BAU reviews (56 days vs. 21 days).
Report Turnaround Time in days — Change vs BAU
Change 56
BAU 21
Target SLA = 20 days
13.Any delay in reporting extends the exposure of the business to untreated risk unnecessarily,
which is compounded by the nature of change programmes: our reviews are designed to
provide real-time assurance and insights that enable programmes to address any areas of
weakness promptly. Any reporting delay dilutes the impact, relevance and, therefore, the
value of our work.
14.An initial root cause analysis shows the turnaround time is influenced by the levels of
engagement achieved with programme heads, and by difficulties in identifying appropriate
action owners for the reported risks. This has been compounded by uncertainty of roles and
responsibilities between the SPM and RTP programmes, and at a GE level. IA have taken
care to communicate clear expectations before each assignment, to challenge behaviours
that are not aligned with PO ways of working, and to escalate promptly where necessary.
However, we expect these issues to persist until structural and cultural issues impacting the
twin programmes are addressed.
15.Performance in BAU audits remained strong at 21 days, reflecting the good working
relationships we cultivate across the business.
Progress against plan for 2023/24
16.We have completed two POL audits during the current reporting cycle.
17.The current status of the 2023/24 plan is as follows:
POL Internal Audit Plan 23/24 POI Internal Audit Plan 23/24
Status: Total Audits = 22 ? Status: Total Audits = 6
7 iS
22°, 6
15
5
= Completed = Fieldwork
Planning Not yet started
‘aitarget number of reviews based on revised plan for 2023/24 approved by ARC was 22 (16 Internal control reviews & 6 change assurance reviews.
Details of the audit plan are in the reading room (Appendix 2).
POI ARC approved baseline plan for 2023/24.
Confidential
60 of 114 POL ARC Meeting-10/07/23
UKG100044335
UKG100044335
Tab 4.4 Internal Audit Report
Internal Audit reviews completed
18. The following audits have been completed since the March ARC meeting:
1 I Application Modernisation Programme
2 Validation of 2022/23 STIP Bonus Metrics (Not rated)
19. Our findings and observations from these reports are summarised below, with the full
reports (where applicable) available in the reading room.
20. Application Modernisation (Ref.2023/24-01)
Audit actions: Sponsor: Zdravko Mladenov
a Reading Room appendix 3
P2 4
P3 1
Total 5
Some Delivery Risk
The Application Modernisation programme (App Mod) was spun-off from the Belfast Exit (Belfast cloud
migration) programme after its closure in September 2022. App Mod is focused on re-building
strategic services in AWS and exiting the legacy Fujitsu 3 party integrations, to support re-use in
the NBIT solution, and is phased to align with NBIT requirements and rollout. It includes two major
strategic projects: POETS, a Commercial Of-The-Shelf (COTS) solution, replacing the PODG batch file
transfer platform, and APOP solution being built in the Cloud to replace current APOP business voucher
authorisation system housed in the Belfast Data Centres. This provides multiple services including,
Postal Orders and Pay-out products. A third project, inherited from the Belfast Exit Programme, is to
build web services to handle data flows and transactions with partners.
TA assessed effectiveness of project governance and control, risks to delivery, contingency plans for
delays, and the relationship with dependent projects including Strategic Platform Modernisation
(SPM).
The programme set-up did not fully comply with the Change Excellence Framework as there is no
business case. However, most of the key elements of set-up are in place except for certain aspects
of benefits management, and action has also been taken to introduce a PID (Project Initiation
Document) retrospectively. The programme appears closely managed, but there is a degree of
delivery risk which is mainly driven by external factors such as the nature of the current relationship
with Fujitsu, and challenges with the SPM programme, with which App Mod has dependencies. If
these external issues deteriorate this will lead to an increasing level of risk to delivery.
En
Management Comment: Graham Bevin, Head of Integr
ing (Business Sponsor’
et
We acknowledge the findings of the Audit that the Programme is closely managed but carries an element of Risk.
Regarding the findings on programme initiation, it is recognised that the standard CEF processes were not
followed fully. However, as the project was set up via a Change Request as a result of the Belfast Exit programme
terminating and the resultant deliveries being split into the App Mod and Datacentre Fortification programmes,
it should be noted that all processes, stakeholder engagements, reviews and approvals as directed by the POL
Portfolio and Finance teams were complied with fully. As per the report there are predominantly mitigations
already in place to address any initial gaps, and actions agreed within the report for all other areas.
The finding of ‘Decisions made without a quorum’ has been addressed, with DCSN0001460 approved May 18th
2023, to amend the SteerCo Terms of Reference, reducing the Quorum from the full distribution to key
stakeholders.
The finding of ‘Insufficient access to RTQ information’ is a POL wide position, and is not programme specific, this
needs to be addressed as an improvement opportunity for the RTQ process itself and is to be picked up by Matt
Keefe and Cherise Osei.
Confidential
POL ARC Meeting-10/07/23 61 of 111
UKG100044335
UKG100044335
Tab 4.4 Internal Audit Report
Weaknesses in communicating NBIT dependencies have been acknowledged by both teams and we are working
towards a solution. Planning engagement has been established between the App Mod Programme Manager and
the NBIT delivery team.
21. Validation of 2022/23 STIP metrics (Ref.2023/24-02)
Not Rated Sponsor: Jane Davies
Internal Audit were requested by RemCo, via the People Team, to validate the three metrics of the
2022/23 Short Term Incentive Plan (STIP), which relate to ‘Rebuilding Trust’.
We have concluded our review and provided a report with our factual findings to the Interim Group
Reward Director, which will inform his recommendations to the RemCo. Due to the sensitive and
confidential nature of the information, no further details are provided in this paper.
Changes to the 2023/24 plan
22. We have made the following changes to the approved internal audit programme:
e Addition to plan (management request) - Validation of 2022/23 STIP Metrics.
This work was completed in June 2023.
e Scope / focus change (management request) - Postmaster Off-boarding will
change to Postmaster On-boarding Financial Approvals Process.
Internal Audit reviews in progress
23. The following audits are in progress or planned for delivery at the next ARC:
Review Sponsor Status
1 I Financial Reporting Controls Al Cameron Fieldwork
2_I HSS Ben Foat Fieldwork
3 I Contractor Hiring Process Jane Davies Planning
4 I Postmaster Onboarding Financial Approvals Process I Martin Roberts Planning
5 I Stamp Stock Controls Martin Roberts Not started
6 I Cloud Security Zdravko Mladenov I Fieldwork.
7 I IT Vendor Risk Management Zdravko Mladenov I Not started
8 I Data Centre Fortification Programme Zdravko Mladenov I Planning
Status of Audit Actions
24. There are currently 25 actions overdue, 11 of which are older than 60 days. We are
working with the action owners to close these actions and have escalated to the relevant
GE sponsors where appropriate.
25. The movement and ageing of audit actions are shown in the table below (status as of 29
June 2023).
Audit Action Status (POL): Ageing:
Open actions at last ARC 35 Open (not yet due) 57
Less: Actions closed in period 15 Overdue (<60 days) 14
Add: New actions in period 62 Overdue (>60 days) 11
Total open actions 82 Total open actions 82
7
Confidential
62 of 114 POL ARC Meeting-10/07/23
Tab 4.4 Internal Audit Report
26.Bel
provided separately in summary f
low is more detail of the overdue acti
‘ormat):
ions and latest s'
UKGI00044335
UKGI00044335
tatus update (SPM actions are
Description of audit finding and
Priority rating
GE owner
and due date
Action Owners and Status Update
Cyber Resilience (Phishing & Ransomware)
Action:
Document an overarching Post
Office backup strategy that
addresses the need to restore
systems and data to points in
time, to ensure that clean backups}
are available.
“Revised date:
31/01/2023
Finding (P1): Zdravko Owner: Dean Bessell
There is no fully integrated ladenov Delayed due to funding constraints. CMDB
inventory of hardware and original date: is now part of full Cyber Maturity
software assets (ref. 01) 30/11/2022 Programme funding ¢ )) due to be
Action: . presented to GE in Septémiber 2023.
Full implementation of the CMDB, ESyosoess
along with additional tools to
provide environmental discovery
and auditing.
Zdravko Owner: Dean Bessell
™ “bh Mladenov Delayed due to funding constraints.
ANT t (Original date: I 5 out of 6 sub-actions now complete.
: [30/06/2022 Final action expected to be complete by end
~ a j June.
Undertake a security risk BSos2oss
assessment of all branch
equipment.
Finding (P1 Zdravko Owner: Dean Bessell
ladenov Delayed due to funding constraints.
IRRELEVANT Original date: I 3 out of 4 sub-actions now complete. The
7 eens 30/06/2022 final action is expected to be complete by
. September.
ee Revised date:
Ensure that Conditional Access 1/03/2023
Policies are applied to all
necessary users.
(RINGING (PA) Wenner _--..J2dravko Owner: Dean Bessell
H iMladenov Delayed due to funding constraints and
IRRE LEVANT original date: I NUMerous staff changes. Analysis of
30/06/2022 current backup processes and gaps funded
as part of Cyber Maturity Programme Proof
of Concept which will inform full
funding request due to go to GE in
September.
Postmaster Remuneration
Finding (P1):
Key Person Dependency and lack
of documented processes. (ref.
08).
Action:
Fully documented manual
processes used in the completion
Martin Roberts
(Original date:
30/06/2022
Revised date:
[31/01/2023
Owner: Paul Liddiard
This work took longer than anticipated due
to having to recruit additional staff. The
work is now nearing completion, expected
to be complete by end July.
Confidential
POL ARC Meeting-10/07/23
63 of 111
Tab 4.4 Internal Audit Report
UKGI00044335
UKGI00044335
64 of 114
27.
of the Postmaster remunerations
and establish appropriate
succession planning/emergency
cover processes.
Business Continuity
Fin P2): Zdravko
There is no overarching back-up Mladenov
policy or strategy for Post Office
systems and data (ref. 12). (Original date:
Action: [30/06/2022
Define an overarching back-up
policy or strategy, with supporting
standards. The strategy should
also address vendors who provide
resilience based on service
availability rather than recovery
objectives (e.g., Ingenico).
Revised date:
31/01/2023
Owner: Dean Bessell
Delayed due to funding constraints and
numerous staff changes. Analysis of current!
backup processes and gaps funded as part
of Cyber Maturity Programme Pronf.af......
Concept which will inform full (!RRELEVAN
funding request due to go to GE in
September.
Update on SPM (STP & RTP) audit actions:
As at the date of reporting there are 18 open actions related to the delivery and rollout
of the NBIT system, seven of which are not due for closure until the end of June or
beyond. Five actions are overdue for more than 60 days.
The recent split of SPM into two programmes (STP and RTP) necessitated six actions
to be transferred outside of STP (one to RTP, one to SPO, one to the Director of
Assurance and three escalated to GE ownership).
Of the remaining 12 actions Management has asked IA to close one action greater
than 60 days past due. However, evidence provided was insufficient to support this
request and we are seeking additional supporting documentation. We are continuing
to work with both programmes to close the remaining overdue actions and those due
to close within the month.
POI Audit Programme
28, The table below shows the status of the provisional 2023/24 POI audit programme, which
is reported to the POI ARC:
Proposed Review Status Timing I ARC réportingI Rating
1 folowap renew ene Fieldwork Qu Jul 23 n/a
2 I Third Party Oversight Not started Q2 Nov 23 n/a
3 I Cyber Security Not started Q2 Nov 23 n/a
4 I Pricing Controls Not started Q3 Jan 24 n/a
5 I Operational Resilience Not started Q3 Jan 24 n/a
6_I Placeholder TBD TBD TBD n/a
9
Confidential
POL ARC Meeting-10/07/23
UKG100044335
UKG100044335
Tab 4.4 Internal Audit Report
@
Appendices?
Appendix 1: Internal Audit Control Themes for 2022/23
Appendix 2: — Internal Audit Plan for 2023/24
Appendix 3: — Internal Audit Report - Application Modernisation Programme
+ Appendices 1-3 are accessible in the CoSec ‘Reading Room’
10
Confidential
POL ARC Meeting-10/07/23 65 of 111
Tab 5 Postmaster Losses
Post Office Limited - Document Classification: INTERNAL
66 of 114
UKG100044335
UKGI00044335
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
Update on Retail Risk RKO021792
Title: Inability to identify, investigate and I meeting pate: I 10 July 2023
resolve discrepancies in the
network.
. Mel Park (Central Operations . Martin Roberts (Group Chief Retail
Author: Director) Sponsor: Officer)
Input Sought: Noting
The committee is requested to:
Note the business risk appetite and tolerance in this area
Note the current position of the risk
Note the action taken to date and future remediation plan
i.
ii.
iii.
iv.
Report
Note the next steps
1. Current risk appetite and tolerance
The risk RKO0O21792 Inability to identify, investigate and resolve discrepancies in
the network- If the branch support teams do not have robust discrepancy management
processes and procedures and accurate and timely MI in place there is a risk that Post Office
is unable to identify, investigate, resolve, and recover losses in the network effectively,
resulting in financial and reputational damage. In addition, the lack of robust management
information drives an inability to identify root cause and tackle the reason discrepancies occur
at source.
We are risk averse to risks which impact the service and support provided to postmasters. The
risk is currently outside of agreed appetite and tolerance levels, we will continue to monitor
and manage this risk to an acceptable level.
2. Current position of the risk
This risk is currently assessed as Impact 4: Likelihood 3 which is out of tolerance for the
following
reasons:
A lack of understanding from postmasters regarding their contract responsibilities
around back-office operations leading to an
appropriately
inability to manage contracts
Shortfalls in the provision of ongoing support and training to postmasters and their
teams regarding back-office processes, and no requirement for regular refresher
training to be completed. This has been compounded by the reduction in the on-site
trainer population over time.
Reduction in field and desk-based compliance teams have meant a lack of validation
around existing performance and operational control standards, resulting in fewer
branches being identified as requiring an early support intervention
Confidential
POL ARC Meeting-10/07/23
UKG100044335
UKG100044335
Tab 5 Postmaster Losses
Post Office Limited - Document Classification: INTERNAL
. ‘Lack of clarity ‘around roles and responsib ies across 5 the different functions and
highly manual processes in both Branch and Central back-office processes, ie Stock
deliveries to branch, month end provisioning process, increase the risk of error
e Lack of robust Management Information to enable end to end tracking of
discrepancies, understanding drivers of discrepancies and supporting resolution at
source
The risk cul
losses - ai!
sheet provision of
ites in a significant impact to PO financial performance in terms of postmaster
i ge to the profit and loss account in 2022/23 and a year end balance
There are also significant central costs in managing the large volume of.. discrepancies - in
2022/23 circa 155,000 discrepancies were issued with a gross value of over; !RRELEVANT! In addition,
Postmasters used the review and dispute option over 8,000 times to record di pancies with
a gross value of circa
Due to the points listed above the support provided by PO to its Postmasters, to run
operationally robust branches is unsatisfactory and contributes to a lack of PO appetite to
recover established losses when they do arise and even when they have been through the
appropriate investigation and resolution process.
3. What actions have we taken already to remediate the risk and what future actions
are planned?
There has been an enhanced focus on managing this risk over recent months with a number of
actions already implemented in a bid to deliver the rofit and loss saving included in the
2023/24 cost budget and also enable improved support for Postmasters. Details of these actions
can be found in Appendix one.
In order to bring the risk back within tolerance and also provide confidence around the recovery
of established losses, the outputs of the EY review and Discrepancy Immersion Day described
in points 6 and 7 of Appendix 1 have been merged to create a Discrepancy Improvement
Programme.
Workstreams within the Programme will represent the main areas of the Postmaster journey,
where improvements have been identified to deliver a step change in the operational support
provided to Postmasters thus reducing the value and volume of discrepancies. These
workstreams are detailed below with the accountable business owner for each identified:
e Improving the identification, investigation, and resolution of discrepancies on a
timely basis (Mel Park)
« Reviewing both the onboarding and ongoing Postmaster training provision to ensure
it appropriately addresses the requirements around back-office processes (Tracy
Marshall)
e Adapting the field team structure to allow timely identification of branches exhibiting
poor operational compliance, provide the appropriate support intervention and thus
enabling the management of contractual operational requirements of our
Postmasters in a fair and consistent way (Pete Marsh)
e Delivering improvements to both the Postmaster and Central back office operational
processes to simplify and limit manual intervention (Mel Park)
Confidential
POL ARC Meeting-10/07/23 67 of 111
UKG100044335
UKG100044335
Tab 5 Postmaster Losses
Post Office Limited - Document Classification: INTERNAL
. Providing MI Mand insight to enable u us to understand the drivers of of discrepancies and
understand the interventions and actions required to address root cause (Michelle
Evans)
Levan ‘saving in branch losses has been included in the 2023/24 budget and the objective for
thié Programme is to deliver at least this number by the end of the year. This is however
dependent on the outputs of the additional network monitoring and assurance activity and the
outcome of the resulting investigations.
The activities within the Programme will take time to embed and improve ways of working in
both branches and PO central functions, so whilst starting to have an impact in quarter 4 of
2023/24, it is not expected that there will be a significant reduction in discrepancies (both value
and volume of transaction corrections and use of review and dispute process), and therefore
losses until 2024/25, which is when the risk is expected to become within agreed appetite and
tolerance.
4. Next Steps
The detailed workstream action plans will be agreed at the first Programme Steerco at the end
of June, following which, progress against the actions will be managed via the programme
governance framework with regular reporting back to GE, RCC & ARC.
Several actions identified within the workstreams will be delivered across the next 6 months
with little or no additional resource required. The remainder will be longer term actions requiring
investment and/or additional resource, but we will look to implement them as soon as possible
and before the end of the financial year. Any requests for funding will be governed through the
IADG process and timelines and investment requests will be confirmed as part of the project
set up and review process.
This workstream activity will also dovetail with a planned programme of work to improve
operational excellence across the network. In summary, this will involve enhanced network
monitoring to improve data analysis and identify potential issues in branch; enhanced branch
assurance and conformance functionality to enable in branch monitoring of operational
standards and increased on site trainer resource to provide appropriate interventions to
increase knowledge and awareness of key operational processes where needed. This activity
will also help pave the way for the successful conversion of branches from Horizon to NBiT in
due course.
Gaining input from postmasters will be critical to the success of this programme, to ensure that
they are aligned with what we are aiming to achieve and that actions planned are fit for purpose
and will make a real difference in how they. run operationally robust branches, delivering a
fair and consistent resolution to discrepancies, and ultimately reduce the risk of loss for all
parties. As such we will engage with the NFSP and seek input from our two NEDs and
Postmaster Director as well as other relevant Postmaster forums at the appropriate time. We
will ensure that we communicate effectively with postmasters about our plans and any
improvements implemented. The potential risk of external comment on this Programme will
also be closely monitored.
We will return to ARC in October to update more fully on progress on each of the actions
identified within the workstreams and the impact on postmaster losses and discrepancies.
Confidential
68 of 114 POL ARC Meeting-10/07/23
Tab 5 Postmaster Losses
Post Office Limited - Document Classification: INTERNAL
an
Confidential
1 - Actions already put in place to mitigate the current risk
UKGI00044335
UKGI00044335
. Timely service level reviews with insights and action where required
. Transaction Correction and Review and Dispute data is issued to the Regional
Managers and Area Managers each trading period to initiate a conversation with
the Postmaster about support required
. Use of Business Support Centre capacity to support contacting PM’s, to gather
discrepancy details within the first week after using review and dispute. Failure
to contact within a week decreases the chance of a successful resolution
. A Discrepancy Trouble Shooting section added to the Operational Training Guide
now live on Branch Hub and the Learning Management System and will be
incorporated into the Postmaster Onboarding training
. In the absence of end-to-end discrepancy data, and to support our view of
current state, the status of the 21 largest value discrepancies (deficits £1.1m
and surpluses £0.9k) within the 712 (gross value £3.75m) P10 (January)
Review and Dispute uses is being tracked to resolution. Initial analysis by EY at
the end of April highlighted issues with the consistency of data within Dynamics
(our case management system) and so we are manually tracking these and will
provide a status update at the end of period 2
. EY conducted an end-to-end discrepancy review earlier this year to document
and assess the processes, systems and data flows for the interlinked areas that
drive branch discrepancies. This identified 17 key issues and provided 8 high
level recommendations to address these.
. A Branch Discrepancy Immersion Day was held in Chesterfield on Thursday 4*"
May. Circa 40 key stakeholders attended to review all problem statements and
discuss potential solutions in the following areas.
o Postmaster onboarding and training
o Postmaster contract management
o Network Reconciliation (ie 3rd party data, cash and stock discrepancies)
o Review and Dispute use and discrepancy management and
investigations
POL ARC Meeting-10/07/23 69 of 111
UKGI00044335
UKG100044335
Tab 6 PO! Deep Dive
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
POI Risk and Compliance “Deep-
70 of 114
Title: Dive” Meeting Date: I 10 July 2023
. Clare Ryder, Non-Executive
Author: Tan Holloway, Director of Risk and Sponsor: Director and Chair POI Audit and
Compliance Post Office Insurance Risk Committee
Input Sought: For Discussion and Input
Previous Governance Oversight
This paper is one of a regular series of updates to the Committee, the last update being
provided in December 2022.
Executive Summary
POI delivered an impressive performance in 22/23. EBITDAS was £15.5m being £5.1m
favourable to budget with travel business proving particularly robust.
Overall Management believe that the POI business operates an effective risk framework
which correctly captures all relevant strategic, operational, financial, regulatory and IT
related risks. These risks are and in turn controlled to appropriate appetite levels.
POI's top residual risk relates to cyber security. Whilst there has been strengthening within
the POI estate around our firewall and credential checking, POI has a dependency on POL for
a number of important services. POL currently regards cyber risk as out of appetite. There
is a particular focus on Belfast strengthening and Ransomware response planning.
Management also notes the significant risk relating to recession given that our travel and
protection businesses rely on discretionary spend. It is noted however that travel sales
remain very robust. Inflation also poses a risk given that claims inflation tends to be higher
than price increases in the rest of the economy. Motor prices in particular are producing
significant year on year increases for customers currently.
Reputation risks also remain significant given the potential impact of Historical Matters on
the wider Post Office brand.
Work to deliver on Consumer Duty and AR oversight remains on track and on budget.
Consumer Duty has delivered a number of positive improvements to customer outcomes.
These improvements include simplification of customer facing documents, greater degrees
of self service and enhanced product review and oversight.
POI notes that undertaking personal due diligence on Senior Management within POL has
been challenging. The FCA requires these checks now annually within AR/Principal
relationships and POI will look to work together with POL Management to ensure that the
process for gathering the data to support these checks is optimised.
POL ARC Meeting-10/07/23
UKG100044335
UKG100044335
Tab 6 PO! Deep Dive
The POI and POL ARC Chairs have agreed in principle that POI will have sight of relevant
material presented to the POL ARC. This will allow POI Managers and Directors to ensure
that they are aware of any wider POL issues which might impact on their regulatory
responsibilities for effective Risk Management within POI. The exact nature of this exchange
is currently being agreed with input from the POL legal team.
POL ARC Meeting-10/07/23 71 of 111
UKGI00044335
UKGI00044335
Tab 6 PO! Deep Dive
Report
1. What are the top risks being managed by POI?
In Appendix A of this paper we have noted all risks graded as “nine” or above. The following
risks are particularly worthy of note:
1a
1.2
1.3
1.4
1.5
72 of 114
Cyber security. Cyber security has been the subject of a separate POI ARC meeting
with an onward escalation to The POI Board. Since the last update to the Committee,
POI has undertaken significant strengthening of its firewall, implementing a
significantly enhanced structure with the help of Accenture. Credential validation has
also been strengthened, including the use of Captcha at log-in. However, Cyber risks
have increased over the last year following the invasion of Ukraine and the risk remains
heightened. POI has key systems dependencies on POL and POL consider that in some
areas, cyber risk is out of appetite, notably in respect of the Belfast Data centre, and
preparedness for a Ransomware attack. Under Board supervision, POI has undertaken
an analysis of the potential knock-on impacts of the potential failure of POL systems
on POI. This would impact areas such as branch sales, Finance and Company
Secretariat and would be significant, though it is likely that POI could continue to
trade. POI IT team are working closely alongside the group function regarding
Ransomware mitigation.
Risk information flows from POL to POI. Our current focus on cyber risk has
highlighted the need for better information flows from POL to POI. POI is a regulated
business with formal responsibilities to oversee risk and report relevant issues to the
FCA where required. POI was not promptly aware that POL considered its cyber risk
as being out of appetite and this is clearly relevant to POI and its Senior Managers and
Directors who have personal liability to the FCA for their oversight of business risk.
Going forward it has been agreed between the POI and POL ARC Chairs, that POI will
have access to POL ARC agendas and minutes and that relevant issues will be
discussed at the POI ARC.
Reputation. POI Management notes the issues created by the error in the POL
accounting statements in respect of the sign off of the provision of information to the
Historic Matters enquiry and the collecting of ethnicity data using inappropriate
language. A number of media outlets continue to run adverse stories reporting events
at the enquiry and ITV has announced that it will be undertaking a drama documentary
covering the events relating to the Horizon system. Whilst there is no current evidence
that customers are not purchasing POI products on the back of the scandal,
Management recognise that risks remain, notably as we move towards the next stage
of the enquiry. There is also a risk that the enquiry detracts attention and resources
from the core operational business and may impact recruitment and retention of
quality staff.
Risk of Recession. POI has core product lines in travel and protection, which are
both discretionary spends for customers. There are therefore risks that if the UK
enters a recession these products may be disproportionately impacted. At this stage
it does not appear that a formal recession is likely and for travel insurance, business
is holding up very well. Research indicates that holidays are now higher in customer
priorities following the Covid lockdowns.
Impact of Inflation. Inflation is already having a major impact in Insurance. Claims
costs are increasing as staff, materials (home repairs), car parts and medical expenses
are all rising.
POL ARC Meeting-10/07/23
UKGI00044335
UKGI00044335
Tab 6 PO! Deep Dive
1.6
1.7
1.8
Premiums are steadily increasing in Motor and Home Insurance, with some large year
on year increases currently being seen in motor, and whilst this offers some
opportunity (commissions can rise too), the impact on customers and the market is
uncertain. Inflation remains stubbornly high.
Duck Creek upgrade. This significant upgrade to our core infrastructure has been
achieved with minimum snags. This further demonstrates POI’s ability to deliver
effective change. Management will now look to remove this risk.
People and organisation. The financial services job market remains buoyant, even
as the UK enters a cost-of-living crisis. POI has a number of skilled staff who will be
attractive within the market more generally and general wage rates are increasing
markedly beyond those paid by POL or POI. Individual retention activity has been
undertaken and Management and HR have a significant focus on succession planning.
The wage rise agreed by POL for POI staff has also been well received. To date, only
limited staff turnover has been seen in POI. Management has considering reducing
the scoring of this risk; however we have maintained the risk level given concerns on
bonus payments and the timing of payments and increased reputational activity.
2. What have been the key movements in POI risks since the last report?
Risks that have reduced since December 2022:
2.1
2.2
Delivery of Duck Creak Upgrade- POI has now delivered this change successfully
and the risk will be removed.
FCA GI pricing - the anniversary of the changes to FCA rules has passed, and whilst
the market remains in flux, this is principally down to inflation pressures and Insurers
rebasing their performance following their excellent results during Covid.
Risks that have increased
2.3
2.4
NBIT risk. POI have recognised a new specific risk relating to NBIT implementation.
This reflects the risks to branch based business if NBIT does not deliver the required
functionality for POI. This risk score is 6, reflecting the relatively small proportion of
branch business to POI and an increasing sense of progress with our elements of the
programme, but recognising the importance of this programme to the group.
Transition to a single call centre provider. POI is in the process of moving its
existing household call centre from First Source to Webhelp. This transition is likely to
be complete by the end of 2023. Management note that this transition is important
both in terms of the quality of service which is offered to customers and also the
potential for significant cost savings, both from the negotiation of a new and larger
contract and potential efficiency improvements. The project remains on track at this
stage.
Risks remaining stable
25
It was noted at the POI ARC that a number of risks have remained static in their
scoring over the period. This includes our assessment of cyber, staff, inflation and
recessionary risks. For cyber, POI has seen an improvement in the assessment of the
risk relating specifically to POI systems including Duck Creak following the
strengthening of controls. However, this has been counterbalanced by the expansion
of our increased knowledge on the level of cyber risk within POL which could impact
POL.
POL ARC Meeting-10/07/23
73 of 111
UKGI00044335
UKGI00044335
Tab 6 PO! Deep Dive
2.6 Similarly there has been a robust debate on the level of the risk relating to staff
retention. Management believes the level of this risk has been positively impacted by
the payment of a reasonably salary increase, which has then been impacted by the
news from Historical Matters and the potential bonus impact. The ARC has requested
that Management note the debate that has occurred on stable risks.
3. What significant incidents have occurred in POI over the last year?
3.1. January denial of service attack. On Friday evening (27 January 2023), POI was
subject to an unusual pattern of high-volume transactions which were not resulting in
sales or other customer activity. In accordance with our plans for dealing with such
incidents, the web system was throttled and then suspended until 1.30 pm on
Saturday 29 January 2023 as a precaution. Customers were able to contact us by
phone. The impact to POI would have been a small reduction in sales over the period
our web service was not available. No data was compromised in this event and the
FCA were informed.
3.2 Use of aggregator data. In May 2023 POI became aware that data from aggregator
quotes was being passed and stored within the POL Marketing database. Where
customers “click through” to POI this is allowable. However, data was being stored
for all aggregator quotes given to customers, regardless of whether they had “clicked
through. This use and storage were not included in the privacy notices provided to
customers. None of this data had been utilised for either analytical or marketing
purposes and the assessment of the overall data risk was low using the Information
Commissioner's Office self-assessment tool. c3m customer records had been retained.
This data has now been deleted.
4. How is the Consumer Duty project progressing?
4.1. Members of the Committee have previously been advised that The FCA wishes to set
higher standards for consumer outcomes across the financial services activity. To
achieve this, it is implementing a new core principle which states that “A firm must
act to deliver good outcomes for retail customers”
The detailed requirements for the Consumer Principle can be found here in PS22/9 A
New Consumer Duty.
4.2. The core principle will be supported by a series of cross cutting rules which require
firms to:
e Act in good faith towards retail customers.
« Avoid foreseeable harm to retail customers and
« Enable and support customers to pursue their financial objectives.
These are in turn supported by a customer focus on four core areas:
« Products and Services.
« Consumer Understanding.
« Price and Value.
e Customer Support.
4.3. The changes required by the FCA’s Consumer Duty initiative need to be implemented
by the end of July 2023.
4.4 The project is subject to significant Governance. A formal Steering Group was
established in February 2022, led by the Chair of the POI ARC. All ExCo members are
involved in the Steering Group. This group meets monthly.
74 of 114 POL ARC Meeting-10/07/23
UKGI00044335
UKGI00044335
Tab 6 PO! Deep Dive
Underneath this Committee there are individual workstreams focused on key delivery
areas. A formal project plan was agreed by the POI Board in October 2022 and is subject to
close checking at both Steering Committee and Working Group level.
4.5
4.6
4.7
Our project plan is now nearing completion. An Internal Audit review of Consumer
Duty was completed in May 2023 which did not identify any areas of concern. The
plan is on schedule to complete on time and to budget in July 2023.
The project is joined to our work on the FCA’s required tightening of controls for
Appointed Representatives (See below) and is currently on track.
Within the reading room for this Committee, we have attached a paper presented to
the Project Steering Group which sets out what has changed as a result of the
Consumer Duty Project and how this has been achieved. Key changes include:
e The appointment of a Board level Consumer Duty Champion
« A review of all customer facing documents and via training from Plain English,
a move to ensure that no documents have a reading age of greater than 12.
« A review of all POI processes to identify any processes which might inhibit
customer achievement- in FCA terminology “sludge practices”.
e Improvements to product design and oversight processes.
e Improved self service functionality- allowing customers to undertake more
functionality online.
« Value and pricing principles have been reviewed for all products.
e The MI and oversight frameworks have also been reformed.
5. Ongoing work to ensure that POI strengthens AR oversight as required by the
5.1
5.2
5.3
5.4
5.5
FCA.
Members of the Committee will be aware that Post Office Insurance is the principal to
an Appointed Representative (AR) relationship with Post Office limited. The FCA has
identified AR relationships as a relatively high conduct risk to customers and has set
out new rules requiring principles to strengthen their oversight approach. These new
rules are set out in PS22/11 Improvements to the Appointed Representative Oversight
Regime. Improvements to the Appointed Representative Oversight Regime. A number
of requirements relating to the new regime come into force at the end of 2022 and
the regime will be fully implemented a year later.
Amongst the requirements of firms are more financial and complaint data reporting to
the FCA (notably the need to report AR complaints specifically). The need to undertake
at least annual financial and management due diligence on the AR business. The need
for more contractual break clauses in the contract and the need for The Board to
review and sign off annually on the quality and effectiveness of the oversight regime.
In addition, the FCA also sets a high standard for the level of oversight and direction
to be provided by principles to AR firms.
POI has combined its project work with the other POI principles Bank of Ireland and
Capital One. This has reduced the workload for the POL business and for POL Senior
Management in respect of due diligence checks. The delivery of our project plan is
currently on track.
POI has been working for some time to take greater control off the oversight regime
for sales conducted within the branch network. This is against a background of
challenges around the quality of sale and oversight within the branch network. The
POL ARC Meeting-10/07/23
75 of 111
UKGI00044335
UKGI00044335
Tab 6 PO! Deep Dive
76 of 114
5.6
5.7
objectives of oversight have historically not always been clear, feedback loops have
not always functioned as effectively as they should and there were opportunities to
enhance the branch sales process.
Whilst there is still work to be completed, progress so far has been encouraging. On
May data the number of green graded shops has improved from c30% in the year
before to c.70% with further initiatives and training still being undertaken. This follows
reforms to the sales process, oversight processes and training.
Broadly our work on Appointed Representative implementation has proceeded
satisfactorily. However, personal due diligence has proved problematic. Challenges
have been experienced in getting Managers to return relevant documentation including
CVs and self-assessment forms. POL has sought legal advice on three occasions as
the assessment has progressed. POI notes this due diligence will now have to be
performed annually and it is important that processes are streamlined to ensure that
they are effective and properly serve the business.
POL ARC Meeting-10/07/23
Tab 6 POI Deep Dive
Api
UKGI00044335
UKG100044335
endix A - Risks with Residual Grades of 9 or over
Name ‘Owner I Description Residual ‘Commentary/Debate
Score/Movement
Cyber Carl Roe I The security of Post Office Data is I 15 Cyber security has been the subject of a separate escalation
risks/Data compromised through attack or wilful paper to the ARC and Board. Management notes in their
Sec negligence causing _ operational, discussion of this risk that there has been substantial progress
reputational and financial damage made in the enhancement of cyber controls within the POT
estate. However, this has been counterbalanced by the
discovery of weaknesses within the POL estate on which we
have a dependency. Notably these relate to the Belfast data
centre and POL preparedness for a ransomware attack. Overall
we agree this risk should remain at the current level.
Inflationary I Simon I The current high level of inflation is I 10 Management have reviewed the latest data from the Bank of
Impact Parr putting pressure on claims costs England and note that the impact of inflation is at least stable
(notably for home and motor). This if not increasing. We may move this risk upwards when we
creates uncertainty and a need to next meet.
increase our own prices. Increased
prices may make customers less likely
to buy discretionary business such as
travel and protection.
Recession I Simon I Economic deterioration impacts sales I 10 Tt is likely that by the end of 2023, base rates will be at 6%:
Parr and customer propensity to purchase Management is considering if this risk needs to move upwards.
or retain our products ? We note however that at this stage we are seeing limited
impact on our business, with travel holding up particularly well.
TT failure Carl Roe I The failure of key IT systems means I 10 POI score this risk highly, given the inherent risk. However,
POI is unable to sell/service customers {=> uptime has been good, and the overall system reliability has
been high.
POL ARC Meeting-10/07/23,
TT of 114
Tab 6 POI Deep Dive
78 of 111
UKG100044335
UKGI00044335
Name ‘Owner I Description Residual ‘Commentary
Score/Movement
AR Oversight I Ian POI does not work effectively to I9 Management remains concerned by the lack of progress in
Holloway I oversight POL with BOI and Capital {=> completing personal due diligence on POL Managers. More
One as an AR. generally there are areas of cross working with POL which
require improvement. A review has been requested by the POT
Board and is attached as an Appendix to this paper. POL
Management have considered moving the score for this risk
upwards but note that it is as it stands rated quite high which
reflects our perception of inherent risk which is certainly not
currently reducing
People Risk I Ed POT is not structured correctly and/or I 9 Management had considered a reduction in this risk level given
Dutton I does not have people of the right reasonable pay rises and the backdating of the pay rise.
quality doing the right things in the However given uncertainty over bonus levels the risk score has
right roles. been maintained.
Reputation I Ed The risk that the Post Office brand I 9 The failure to meet fully the bonus gateway requirements for
Dutton I suffers damage with a consequent provision of data to the enquiry will further enhance historic
impact on the propensity of customers
to purchase or retain POI products.
matters scrutiny. A number of media outlets continue to report
in detail the evidence from the enquiry and ITV plans a
miniseries on the scandal. Whilst there is as yet no evidence
that this is impacting customer propensity to purchase our
products, the risk that this will be impacted in the future
remains.
POL ARC Meeting-10/07/23,
UKG100044335
UKGI00044335
Tab 8 Postmaster Policies
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
Postmaster Support Policies —
itle: i : \th
Title: Annual Review Meeting Date: I 10" July 2023
Jo Milton, Senior Operational
Improvement Manager
Author(s): Sponsor: Martin Roberts, Group Chief
David Southall, Head of Retail Officer
Contract Management &
Deployment
Input Sought: Approval
The Committee is asked to approve four updated postmaster support policies to be effective
from the date of the Audit, Risk and Compliance Committee’s (ARC) approval:
Postmaster Contract Performance
Postmaster Contract Suspension
Postmaster Contract Termination
Postmaster Decision Review
ee ee
In addition to the four updated postmaster support policies the Committee is asked to
approve the following:
« Postmaster Suspension Decisions Governance Committee - Terms of Reference
Executive Summary
Following the Group Litigation Order (GLO), Post Office created a suite of postmaster support
policies, all of which were initially approved by ARC in 2021 and have been in use since.
The purposes of these internal policies are to provide guidance, set down principles and
highlight risk areas, while also ensuring that Post Office can support postmasters effectively
and compliantly with the GLO.
In March 2022, ARC agreed that annual reviews should continue to take place, on a phased
basis. This financial year, ARC has approved 8 of the 12 postmaster policies and this paper
seeks approval for the final 4, following their annual review.
Report
Background
1. The policies require an annual review and subsequent approval from ARC.
2. These policies were last submitted to RCC in May 2023 but were not approved, with a
request that any thematic or specific feedback from the internal policy assurance reviews
by the Post Office Compliance team was incorporated. At the time of submission formal
feedback from the assurance has not been received and noting that these policies were
last approved in March 2022 these are presented for approval. It is likely that the output
1
Internal
POL ARC Meeting-10/07/23 79 of 111
UKG100044335
UKG100044335
Tab 8 Postmaster Policies
of these reviews will see changes to the policy controls. Any changes, made following the
assurance reviews can be presented back to ARC in September.
Overview of changes made
3. General updates have been made to the policies:
a) Branding has been updated as advised by Post Office’s Brand team.
b) Policy owners and sponsors were updated following organisational changes.
c) Responsibilities of the Risk and Compliance Committee and Audit, Risk and Compliance
Committee have been added to the Roles and Responsibilities section.
d) References to ‘Whistleblowing’ have been changed to ‘Speak Up’, consistent with
changes made by the Speak Up Manager to encourage a Speak Up culture.
e) Speak Up contact details have been added (NFSP request).
4. A list of more specific and minor updates in each policy are set out in Appendix 9, but the
main changes are summarised below:
Postmaster Contract Performance
a) Acontrol standard was amended to reflect that a Contract Performance Rationale may
not be completed on every occasion. Completing a rationale document for every
escalation that comes into the team means that issues are not being dealt with in a
timely manner. Full records of the investigation will be kept on Dynamics, as well as
the reasoning behind why any action was taken.
b) Assurance reviews of contract performance cases currently performed by the Head of
Contract Deployment will now be undertaken by the Central Investigations Unit as
part of the Investigation Branch Control Assurance Framework, which is currently
being finalised.
Postmaster Contract Suspension
a) Assurance reviews of suspension and termination decisions currently performed by
the Retail Operations Director will also now be undertaken by the Central
Investigations Unit as part of the Investigation Branch Control Assurance
Framework.
b) Additional governance introduced whereby a Postmaster Suspension Decisions
Governance Committee will both:
o Review and approve all decisions to suspend a Postmaster’s Agreement;
o Review all ongoing Postmaster Agreement suspensions and approve that it is
reasonable and proper to keep a postmaster suspended.
Please see Appendix 10 for a copy of the Terms of Reference for the Postmaster
Suspension Decisions Governance Committee
Postmaster Contract Termination
a) Assurance reviews of suspension and termination decisions currently performed by
the Retail Operations Director will also now be undertaken by the Central
Investigations Unit as part of the Investigation Branch Control Assurance
Framework.
Internal
80 of 114 POL ARC Meeting-10/07/23
UKG100044335
UKG100044335
Tab 8 Postmaster Policies
The Postmaster Contract Termination policy will undergo further changes to bring the
governance of termination decisions in line with suspension decisions. These changes
will be reflected following the completion of the assurance reviews for submission to ARC
in September.
Postmaster Decision Review
a) Addition of a non-voting Panel Chair to the Decision Review Panel. This will be a former
postmaster.
b) Clarification in the event of Accounting Dispute Decisions that these can only be upheld
or overturned, rather than a decision to reduce the amount owed.
5. The National Federation of Sub-Postmasters have been consulted about the changes in
the Contract Performance, Contract Termination and Decision Review policies and were
satisfied. They are currently being consulted about the addition of the Postmaster
Suspension Decisions Governance Committee to the Contract Suspension policy.
6. Please see Appendices 1 to 9 showing marked up versions of each policy, clean updated
versions and a more detailed summary of all changes made.
Next Steps & Timelines
7. Following approval of the policies, Post Office will ensure that:
e All relevant teams are fully trained on the updates to the policies by the end of July
2023.
e The updated policies will be made available on the Post Office Intranet site.
e Any further feedback as a result of internal assurance reviews by the Compliance team
will be reviewed and actioned as appropriate for presenting at ARC in September 2023.
e The 23/24 annual reviews begin with the Postmaster Account Support and Postmaster
Accounting Dispute Resolution policies, which will be presented to ARC for approval in
September.
Internal
POL ARC Meeting-10/07/23 81 of 111
UKG100044335
UKGI00044335
Tab 8 Postmaster Policies
OFFIC
Appendices
All appendices are available in the Diligent Reading Room
Postmaster Contract Performance Policy V4.0 Marked up
Postmaster Contract Performance Policy V4.2 Clean PDF
Postmaster Contract Suspension Policy V4.0 Marked up
Postmaster Contract Suspension Policy V4.2 Clean PDF
Postmaster Contract Termination Policy V4.0 Marked up
Postmaster Contract Termination Policy V4.2 Clean PDF
Postmaster Decision Review Policy V2.0 Marked up
Postmaster Decision Review Policy V2.3 Clean PDF
Postmaster Policy Review Changes
0. Postmaster Suspension Decisions Governance Committee Terms of Reference PDF
Be ONoMsaWNE
Internal
82 of 114 POL ARC Meeting-10/07/23
UKG100044335
UKG100044335
Tab 9 Modern Slavery Statement
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPOR
Title: Modern Slavery Act Statement Meeting Date: I 10" July 2023
David Southall, Head of Contract Martin Roberts, Group Chief Retail
Management & Deployment Officer
Author: Sponsor:
Input Sought: Approval
Post Office ARC is asked to approve the 2023/2024 Modern Slavery Statement and endorse
the proposed commitments POL will take forward in the 2023/2024 financial year.
Previous Governance Oversight
We consulted all members of the Modern Slavery Act (MDA) Steering Group which comprises
of representatives across functions including Legal, Procurement, Risk, Employee Relations
and Learning and Development.
Executive Summary
The Modern Slavery Act 2015 (the Act) challenges slavery, domestic servitude, forced and
compulsory labour and human trafficking.
Under s.54 of the Act, Post Office as a large business is required to produce an annual slavery
and human trafficking statement (the Statement) setting out what steps have been taken to
ensure its business and supply chains are mitigating the risks of modern slavery. This paper
attaches Post Office’s annual Statement which documents progress on our previous year’s
commitments and outlines the actions that we commit to take in the year ahead.
Overall, the Post Office is compliant with the Modern Slavery Act 2015 in terms of its legal
obligations. In previous years we engaged an external consultant ‘Good Values’ to inform and
validate our approach to Modern Slavery, a commitment for 2023/24 is for Post Office to
consider options for an independent assurance check on Post Office’s Modern Slavery processes
to inform and validate our approach. Post Office has made good progress against each of the
commitments made for 22/23 and has ensured robust governance and oversight of progress
against actions via a steering group, meeting monthly.
Post Office has prepared a new Statement for 2023/24 in line with the Act, which must be
published on Post Office’s website within 6 months of financial year end. It details the
progress made against the actions committed to for 22/23, as well as our proposed
commitments for 23/24, which include drafting a Modern Slavery & Human Trafficking policy
to support business processes and underpin the Modern Slavery Statement and incorporating
Modern Slavery awareness into annual compliance training for Postmasters and their staff. A
copy of the Statement for 23/24 can be found at Appendix One.
Questions addressed
1. Why do we need an updated Statement?
2. What are the key points to note about our Statement?
3. What are the risks and is the Post Office compliant with the Act?
Confidential
POL ARC Meeting-10/07/23 83 of 111
UKG100044335
UKG100044335
Tab 9 Modern Slavery Statement
84 of 114
Why do we need a Modern Slavery Act Statement?
1.
According to s.54 of the Act, the requirement to publish a Statement applies to
“commercial organisations” which (a) supply goods or services and (b) have a total
turnover of not less than £36 million. It will therefore not apply directly to Postmasters if
their annual turnover is less than £36 million. As Postmasters are part of the Post Office
supply chain, however, Post Office must state what steps it has taken to ensure that it
mitigates the risk of slavery and human trafficking in any of its supply chains or its
business. Payzone has a turnover well below the threshold so is not legally required to
produce a separate Modern Slavery Statement. Nevertheless, our Modern Slavery
Statement also covers Payzone and POI as a business owned by the Post Office.
Post Office is required under s.54 of the Act to produce an annual slavery and human
trafficking statement listing the steps taken to mitigate the risk of modern slavery in its
business and supply chains. This paper attaches the annual Statement (Appendix One)
which records what steps we have taken in 2022/2023 and outlines the actions we
commit to take in 2023/2024. The Statement must be approved by the Post Office
Board, signed by a Director and linked to via a prominent page on Post Office’s website.
What are the key points to note about our updated Modern Slavery Act Statement?
3. Our 2023/2024 statement records the progress we have made against those
commitments and lists our commitments to tackle modern slavery across the POL group
for the financial year 2023/2024. The commitments were developed by the Modern
Slavery Steering Group (MSSG) which includes representatives from Legal,
Procurement, Risk, Employee Relations and Learning and Development.
4. We have made good progress against our commitments for 22/23 and a detailed
overview can be found in the Statement itself in Appendix One. Key highlights however
are:
a. We have increased the number of proactive ‘Modern Slavery observations’
(observations for any signs of concern in branch conducted by area managers as
part of other duties) made across the year, with over 16,446 observations
completed in 22/23 versus 7206 the previous year.
b. A network investigation process has been developed and implemented which is
in line with our Group Investigations Policy.
c. We have continued to communicate across all areas of the business and to our
Postmasters to raise awareness of Modern Slavery, its identifying factors and
importance. Details and links to relevant communications can be found in
Appendix Two.
d. We continue to deploy our Modern Slavery online training including videos from
Government best practice sources. Our training is now deployed to all Post Office
Employees, and we achieved a 98.2% participation completion rate against a
target of 95%
2
Confidential
POL ARC Meeting-10/07/23
UKG100044335
UKG100044335
Tab 9 Modern Slavery Statement
Post Office Insurance (POI)
5.
POI continue to carry out regular due diligence and reviews on the following gold/silver
suppliers. Whilst the due diligence has been contained to remote reviews only during the
pandemic, POMS have not found any material issues with the Suppliers’ adherence to
the MSA:
* BISL(BGL) — Motor Insurer — Located on corporate website
* — Cardif Pinnacle — Pet Insurer — Located on corporate website
© Collinson (CISL) - Travel Insurer — Located on corporate website
* ERGO - Travel Insurer — Located on corporate website
* Taurus — Gadget Insurer — Not required, however a copy of their MSS policy has been provided.
* Webhelp — Contact Centre — Located on corporate website
* Reassured — Contact Centre — Located on corporate website
* Premium Credit Limited — Premium Finance provider — Located on corporate website
* DAS—Legal Expense Insurer and Home Emergency provider — Located on corporate website
* Ageas — Home Insurer — Located on corporate website
* Accenture —IT platform and maintenance — Located on corporate website
* Post Office Limited — Support Services — Located on corporate website
* — Neilsen Financial Services - Home Insurance — Located on corporate website
What are the risks and is the Post Office compliant with the Act?
6.
For Post Office Group, the main areas of risk continue to be of modern slavery occurring
somewhere within its branch network or in the supply chains of its branch network and:
Public perception that where a Post Office fascia is in place that the facility is a Post
Office and not an independent retailer that “includes” a Post Office service.
Risk by association for those working with a Post Office fascia but also operating other
businesses, directly and indirectly associated with retail.
Challenging dialogue to have with consumers about trust and control of Postmasters if
something goes wrong. Given the public perception is that the Post Office controls all
places where there is a Post Office facia, stating in defence that: “We do not control
them”, “We did not know about this”, “We have T&Cs that prohibit this”, would not be
good enough in the public domain, and there would be reputational damage.
7. The highest level of risk continues to be within our Agency Network due to the lack of
direct control over operations here. There are also risks associated with proximity of
brand and public perception (for example when Post Office branding appears on retail
packaging, sourced by one of its suppliers). Our approach to addressing these risks is
overseen by the Steering Group
Overall, POL and the Statement are, to the best of our knowledge, compliant with the
legal obligations of the Act, as assessed by POL in house legal team and endorsed by
MSSG. We previously worked with a third party ‘Good Values’ who provided external
validation of our work on Modern Slavery. For the coming year, GE should consider
Confidential
POL ARC Meeting-10/07/23 85 of 111
UKGI00044335
UKGI00044335
Tab 9 Modern Slavery Statement
again engaging the services of a third-party adviser to inform and validate our
approach to MS.
Appendix Three sets out the consequences of failing to prepare or publish a modern
slavery statement
Risk Assessment, Mitigations & Legal Implications
86 of 114
17.
18.
A potential consequence of failing to show adequate progress on tackling modern
slavery within the company statement is damage to reputation and brand. Government
guidance on the Modern Slavery Act and expectations from civil society is for
companies to show year on year progress on how they are tackling the risks of modern
slavery within their operations and supply chain.
Our annual statement therefore has to be more than just a tick-box exercise and must
demonstrate a material commitment to tackling the potential risk of modern slavery
within the organisation. We are confident that the detail in our 2023/2024 statement
recording our progress on last year and our proposed actions for the financial year
2023/2024 are appropriate. We will monitor developments and keep the adequacy of
the Statement under review.
Next Steps & Timelines
19,
The Statement must be published on Post Office’s website within 6 months of financial
year end. (26 September 2023)
Confidential
POL ARC Meeting-10/07/23
UKG100044335
UKGI00044335
Tab 10 Policies for Approval
@
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
Title: Policy Update Meeting Date: I 10' July 2023
. Jonathan Hill Group
Reena Chohan, Policy - .
Author: , ' Sponsor: Compliance Director / Ben
Compliance Manager Foat, Group General Counsel
Input Sought: Approval
The Committee is asked to review and approve the following updated policies for the business
to take forward:
i. Financial Crime Policy;
ii. Anti-Bribery and Corruption Policy;
iii. Anti-Money Laundering & Counter Terrorism Funding Policy and
iv. Modern Slavery Statement
Previous Governance Oversight
Risk & Compliance Committee (RCC) 27" June 2023
Executive Summary
This paper provides a summary of changes that have been made to the policies below as part
of their annual review process for the ARC to consider.
Questions addressed
1. I Which policies were updated in this annual cycle review?
2. What updates were included and why?
3. I What is Compliance’s assurance view of the status / Minimum Controls Standards for
each policy?
Which Group policies were updated in this annual cycle review?
In this review cycle the following group policies were revised, reviewed and updated as per the
annual review process.
Policy \Last Updates GE Sponsor IGovernance
IReviewed [Approval Body
Financial Crime Policy june 2022 [Minor corrections and —_IGroup General RCC & ARC
Irevisions made, this annual ICounsel
Ireview.
lAnti-Bribery and Corruption Policy June 2022 Refer to separate paper —_IGroup General RCC & ARC
submitted by the policy —_ICounsel
wher
lanti-Money Laundering & Counter [lune 2022 [Minor corrections and _IGroup General RCC & ARC
Terrorism Funding Policy lrevisions made, this annual ICounsel
Ireview.
1
Confidential
POL ARC Meeting-10/07/23 87 of 111
UKG100044335
UKG100044335
Tab 10 Policies for Approval
88 of 114
[Refer to separate paper
Isubmitted by the policy
lowner
lHead of Contract and
Deployment
Modern Slavery Statement [" 2022 RCC, ARC & Board
What updates were included and why?
1. A summary that identifies the changes and updates to the policies and statements have
been added below:
2. Financial Crime Policy: The policy has had Minor corrections and revisions made and
the following updates were made to the policy this annual review:
a) Minor update to current control owners (change of job title only)
b) Addition of new legislation - Economic Crime Act 2022
c) Updated new company registered address to Wood St
The policy owner has confirmed in their attestation, that each minimum control standard
stated within the policy is being met and can be evidenced through the - Financial Crime
Policy FPAF Q1 2023/24 Financial Crime Assurance Review conducted by the Financial Crime
Team.
Compliance completed a policy assurance review on the policy in July 2021. The overall review
of the policy concluded as Satisfactory - no findings, no control weaknesses or process
inefficiencies identified.
3. Anti-Bribery and Corruption Policy: Please Refer to the (Head of Financial Crime)
Annual Review paper submitted on Anti-Bribery & Corruption, including Gifts & Hospitality.
The policy owner has confirmed in their attestation, that each minimum control standard
stated within the policy is being met and can be evidenced through the Q1 2023/24 ABC
assurance review conducted by the Financial Crime Team.
4. Anti-Money Laundering and Counter Terrorism Funding Policy: The policy
has had Minor corrections and revisions made and the following updates were made to
the policy this annual review:
a) Minor update to current control owners (change of job title only).
b) Addition of new legislation - Economic Crime Act 2022
c) Updated new company registered address to Wood St
The policy owner has confirmed in their attestation, that each minimum control standard stated
within the policy is being met and can be evidenced through the - AML and CTF Policy FPAF Q1
2023/24 Assurance Review conducted by the Financial Crime Team.
Confidential
POL ARC Meeting-10/07/23
UKG100044335
UKG100044335
Tab 10 Policies for Approval
5. Modern Slavery Statement: Please refer to the separate paper submitted by the
Head of Contract and Deployment.
The policy owner has confirmed in their attestation that they are satisfied that the process to
report any control failures is robust and is monitored and reported on via the MSA Steering
Group and that compliance with the statement is being met and can be evidenced.
Compliance conducted an assurance review on the Modern Slavery Statement in March 2022,
the overall rating applied was 3 Medium - Satisfactory - room for improvement, some
weaknesses around internal controls such as records, systems identified and
reporting. Compliance at the time recommended that the business continue to implement and
follow through the recommendations including those that were driven by the KPMG report.
Assurance
Assurance reviews on Group Key Policies has been put on hold whilst the Policy Compliance
Manager assists on Historical Matters Assurance activity. Postmaster Support Policy assurance
reviews are still being conducted for the remainder of the year, this is to support and coincides
with the work being done on Historical Matters,
6. The policies in both clean and tracked changed versions can be found in the reading room.
7. Conclusion
We continue to work with Policy Owners and Company Secretariat to ensure we maintain our
policy governance responsibilities and undertake assurance that the polices are working as
expected. This is a key part of the wider Post Office controls work.
Policy Appendices
Financial Crime Policy (Clean)
Financial Crime Policy (Track Changed)
Anti-Bribery and Corruption Policy (Clean)
Anti-Bribery and Corruption Policy (Track Changed)
Anti-Money Laundering and Counter Terrorism Funding Policy (Clean)
Anti-Money Laundering and Counter Terrorism Funding Policy (Track Changed)
Qu awnNe
*Please note that the Anti-Bribery & Corruption Including Gifts & Hospitality and Modern
Slavery Statement will be submitted directly and discussed in separate papers by the Policy
Owners.
Confidential
POL ARC Meeting-10/07/23 89 of 111
UKG100044335
UKGI00044335
Tab 10 Policies for Approval
POST
OFFICE
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
Title: aan Anti-Bribery and Corruption I meeting pate: I 10% July 2023
Sally Smith, Money Laundering
Author: Reporting Officer & Sponsor: Ben Foat, Group General Counsel
Head of Financial Crime
Input Sought: Decision and Noting
The committee is asked to review the contents of this report, approve the actions from the ABC
risk assessment including the recommendation to increase the gift reporting and approval
thresholds, updated ABC Policy and re-confirm the Corporate website statement.
Previous Governance Oversight
The last annual ABC report and Policy amends were approved in July 2022
Executive Summary
The ABC risks for Post Office Group were re-assessed in Q1 2023/24 and demonstrated that
control strengths have improved with no areas of material concern identified. The overall
residual risk is within risk appetite and is considered low.
Some minor areas requiring attention were identified, and the reports outline how the Group
can make control improvements and further reduce exposure to the risk of bribery and
corruption.
A good standard of gifts and hospitality reporting was observed in 2022/23, with no significant
breaches of Group Policy. Following the last annual ABC report, quarterly GE level reporting
was re-introduced to assist with GE oversight of the appropriateness of gifts and hospitality
acceptance across their teams.
Formal monitoring of compliance with the ABC policy minimum controls standards is in place,
providing assurance that Post Office is complying with its ABC policy.
The ABC policy has been reviewed with minor changes and there have been no changes to
legislation since the last review. However, it is proposed to increase the gift reporting threshold
(£20 to £25) and GE approval limit (£100 to £150).
uestions addressed
1. What changes to the Policy do we propose and why?
What are the implications of these changes?
What issues have been highlighted by the ABC risk assessment and annual review of Gifts
& Hospitality and charitable donations?
4. What actions need to be undertaken to address any issues?
Confidential
90 of 114 POL ARC Meeting-10/07/23
UKG100044335
UKG100044335
Tab 10 Policies for Approval
Annual Policy review:
5. There have been no regulatory changes impacting ABC and no significant UK-based anti-
bribery and corruption cases or enforcement action by regulators in the last year requiring
changes to Post Office Group Policy.
6. Minor amendments have been made to reflect the organisations new registered address
(Wood Street) and control owners’ details have been verified and updated.
7. An amendment to the gift reporting and approval limit is proposed, increasing the
minimum reportable limit from £20.00 to £25.00 due to inflation and the GE approval
requirement limit from £100.00 to £150.00 to reduce GE approval instances and place
more responsibility on line management. The annual review considered an increase to GE
approval for hospitality, but the current limit (£200) was deemed appropriate given
current public scrutiny.
8. Quarterly assurance of compliance with policy minimum control standards has continued,
and the most up to date assessment (Q1 2023/24) can be found in Appendix D.
Annual Gifts & Hospitality (G&H) and Charitable Donations review
9. Hospitality has slightly decreased, and gifts have marginally increased during 2022/23
when compared to 2021/22 (see Appendix B&C for annual data):
e In 2022/23 there were 32 gift reports (59 individual recipients) totalling £1849.82 and
169 hospitality reports (157 individual recipients) totalling £46,496.99
e In 2021/22 there were 29 gift reports (29 individual recipients) totalling £1,908.77 and
104 hospitality reports (224 individual recipients) totalling £13,839.00
10. There were 2 instances of employees accepting a gift of cash equivalent (gift cards &
vouchers) from external third parties which were approved by line management. The
breaches were raised with line management to return the gift and all employees have
been reminded of the policy requirements.
11. Regular GE level reporting of G&H submissions was reintroduced in Q2 2022/23. The
report highlights issues covering their reporting lines and provides oversight of volumes,
values, recipients of multiple offers and third parties offering multiple G&H. The highest
volume and value of gifts and hospitality was received by the Commercial business team
in 2022/23.
12. A review of the external companies that have offered G&H to Post Office in 2022/23 has
not identified any significant issues and all were assessed as proportionate and appropriate
at approval. The top 5 are detailed below:
External Third Party Employee I Report No. of Value per Total
Response I Volume I recipients Value
Herbert Smith Freehills* Accepted 6 27 £2240.00
Declined 4 16 £40.00 £640.00
Total 10 43 £66.98 £2880.00
Ageas Accepted 2 2 £125.00 £250.00
Declined 8 8 £225.00 £1800.00
Total 10 10 £205.00 £2050.00
Collinson Group Accepted 6 15 £92.67 £1390.00
2
Confidential
POL ARC Meeting-10/07/23 91 of 111
UKGI00044335
UKGI00044335
Tab 10 Policies for Approval
92 of 114
15.
Declined 0 0 £0.00 £0.00
Total 6 15 £92.67 £1390.00
Norton Rose Fulbright Accepted 4 24 £43.83 £1052.00
Declined 1 4 £44.00 £176.00
Total 5 5 £245.60 £1228.00
Adobe Accepted E} 5 £70.00 £350.00
Declined 1 1 £60.00 £60.00
Total 6 6 £68.33 £350.00
* Offers from Herbert Smith Freehills in 2022/23 have been referred to the Legal Team to ensure these were appropriate
and proportionate, given their role in supporting the Public Inquiry work.
Charitable donations were made as below:
Date Name of Description Category I Offered or Amount
charity Received
29/4/2023 I Trussell POL donated £1p for Monetary I Offered £ 266,360.40
Trust every cash withdrawal
over a PO counter
between P1 and P12
22/23
09/05/2022 I Charities Funding for POL Monetary I Offered £20,000
30/06/2022 I Trust employee matched (paid in 4
20/10/2022 funding and branch equal £5k
12/01/2023 matched funding instalments)
programmes. Note - a
small balance was
carried over to
2023/24 but held by
Charities Trust.
Risk Assessment, Mitigations & Legal Implications
13.
14.
Anti-Bribery & Corruption (ABC) assessments of Post Office Group were completed in Q1
2023/24 (the close down reports can be found in the Reading Room).
Action plans have been drafted from the assessments however these recommendations
are minor in nature and would not substantially impact the residual risk score.
Post Office Limited:
15.
The residual risk remains within Group risk appetite. Improvements were identified in the
following key areas:
e ABC Policy quarterly control testing has been completed with no significant findings.
« Whistleblowing Framework is maintained to a good standard with evidence of best
practices being applied (resource dedicated for investigations, employee training).
e G&H reporting remains aligned with the expected level of submissions, with evidence
of corrective action being taken when/where required.
* Quarterly GE reporting of G&H submissions has been reintroduced to improve
governance oversight.
Confidential
POL ARC Meeting-10/07/23
UKG100044335
UKG100044335
Tab 10 Policies for Approval
« Continued communications to raise awareness of ABC policy and procedures across the
organisation has assisted control performance
Post Office Insurance:
16. The residual risk remains within Group risk appetite and has improved from 0.83 to 0.14
since the last assessment. The reduction reflected the improved alignment of policies and
procedures between POI and POL.
17. One recommendation from the last assessment has not yet been addressed; Post Office
Vetting Policy v2.4 sets out the Group’s overall risk appetite and controls but explicitly
sets out that POI should have their own policy. POI apply the POL vetting principles and
the standards of the Senior Managers Certification Regime, but this is not currently
documented in the format of a statement or policy and it is recommended this is
addressed.
Payzone Bill Payments:
18. The residual risk score remains within Group risk appetite, and has further reduced since
the last assessment, reflecting the significant alignment of policies and procedures
between PZBP and POL, with positive control improvements to the areas of G&H, HR
Vetting, Charitable and Political Donations. The assessment did not identify any significant
findings and the main observation related to the absence of any G&H submissions.
19. PZBP have confirmed that offers of G&H are rare and only usually received around
Christmas time. PZBP continue to attest that training and communications are provided
to employees regarding reporting requirements.
Stakeholder Implications
20. No material changes are required to comply with the updated Policy. If approved, the G&H
reporting tool will be amended to reflect the new limits and communicated to employees.
21. The Compliance team will work with stakeholders across the business to improve first line
compliance with the ABC policy as part of the overall Compliance strategy work.
22. The Corporate website ABC statement has been reviewed, but no changes are
recommended (see Appendix A for current statement).
Next Steps & Timelines
23. Financial Crime Compliance will pursue and oversee the action plans to remediate residual
risks identified in the ABC risk assessments with relevant stakeholders during 2023/24.
Progress will be reported via Compliance reporting to the RCC and ARC.
24. Continue quarterly GE level reporting of Gifts and Hospitality.
25. ABC training content is being updated and will be delivered to all employees in September
2023. On-going communication and awareness will be delivered throughout 2023/24.
Sally Smith
MLRO & Head of Financial Crime
13** June 2023
Confidential
POL ARC Meeting-10/07/23 93 of 111
UKG100044335
UKG100044335
Tab 13 Speak Up Report to ARC Members
94 of 114
POST OFFICE LIMITED ARC COMMITTEE REPORT
Title: Quarterly Speak Up Up-date Meeting Date: I 10 July 2023
. Mair Haynes, Speak Up Analyst .
Author: John Bartlett, Head of CIU Sponsor: Sarah Gray
Input Sought: Beeisier/Discussion/Noting
Executive Summary
This is the first of the to be regular updates on Speak Up activity
More reports of branches refusing to comply with requests to return excess cash
are being seen. This is often to cover large discrepancies, which may lead to
allegations of theft or robbery.
Volumes of Speak Up cases may have fallen slightly from last quarter, however,
there are currently now 17 open investigations and the complexity and scale of
these are time and resource intensive.
Purpose
The purpose of this report is to provide ARC with an overview of Speak Up activity, the risks
raised by those reports, and action taken to mitigate those risks.
Speak Up Reports this quarter
Public Interest Disclosure Act 1998 (PIDA)
Qualifying disclosures are those where the reporter reasonably believes that one or more of the
following matters is either happening now, took place in the past, or is likely to happen in the
future: Criminal Offences; Failure to comply with an obligation set out in law (including
regulatory breaches); Miscarriages of justice; Endangering of someone's health and safety;
Damage to the environment; Covering up wrongdoing in any of these categories.
Three of the seven reports received this quarter are PIDA qualifying and were all raised
direct by Whistleblowers into the Speak Up email address.
Two of these were allegations of bullying
o One related to managers and was raised anonymously. This was closed as
Unsubstantiated as the reporter refused to engage any further. However, we
engaged with Employee Relations (ER) and they are trying to be more visible in
the office and undertaking work around the culture and behaviours being reported.
o One related to a cleaner and was raised by a member of staff. This was closed as
Substantiation Undetermined, and the reporter advised to report to line manager
and / or ER. Dignity at Work and Grievance Policies provided.
The third report is an open case around Compliance & Regulation Violations and is being
investigated under the name Project WILLOW. This is likely to be passed to external
investigators due to the high-profile nature of the people and project involved.
1
[Highly Sensitive]
POL ARC Meeting-10/07/23
UKG100044335
UKG100044335
Tab 13 Speak Up Report to ARC Members.
In total, seven reports have been received into the Speak Up function this quarter (April -—
June 2023), which is a reduction by two from the previous three months.
« Three reports relate to theft, which is the most common type of allegation we receive.
Of these, two are allegations are against OICs! and one against the postmaster. In
the case of one of the OIC’s, allegations of coercive behaviour has also been made
against the postmaster (the wife of OIC) where POL’s cash has allegedly been used
to support the retail business. The other two theft reports were both reported via the
Speak Up email address and identified by Branch Assurance Visits, which took place
because of branches not complying with requests to send back excess cash.
* Two bullying cases received this quarter have now been closed. As these were both
protected disclosures, they are detailed under the PIDA section of this report.
* One Compliance & Regulation Violation case has also been reported, which is being
investigated under the name Project WILLOW. PIDA case.
« A report has been received of potential modern slavery, whereby a male was found
to be living and sleeping on the floor of a small office adjoining a Royal Mail sorting
office within a Post Office. The postmaster states the male is nothing to do with Royal
Mail, Post Office or the sorting office and refuses to give any further details. This has
been reported to the police, Unseen (Modern Slavery & Exploitation charity), the
Gangmasters Licencing Authority and our Security team for information. This is also
being reported to HSE due to potential security and safety risks.
An additional 25 reports have been received into Speak Up this quarter. These have been
triaged and further enquiries made and clarified to inform next steps. The majority of these
relate to working practices in branch (sharing SmartID, processing retail items through PO
etc) and 18 of the 25 have been either closed ‘No Further Action’ or signposted to other
departments or agencies for advice (Contracts, Area Managers, ACAS, Royal Mail etc). The
remaining seven are still awaiting further information, either from the reporter or other
departments, before a decision is made regarding being accepted for investigation.
Ten cases have been closed this quarter, the majority of which were active in the
previous quarter:
e Two cases were ‘partially substantiated’ —
e A PIDA allegation into the behaviour of high-profile managers which was
outsourced to an external agency due to the seniority of the subject
involved (Project ROSE1). A comprehensive’ report including
recommendations has been provided.
e The reporter raised multiple issues including the sharing of SmartIDs,
insecurity of the branch, mail items being left unsecured and general
treatment of staff. Issues passed to security team, contracts and the
reporter directed to ACAS?.
1 Officers In Charge — employees of Postmasters nominated to day to day run an individual post office.
2 ACAS - (Advisory, Conciliation and Arbitration Service) — provide free advice and support around pay and working conditions
etc to non-POL employees including Postmasters, OIC’s, Clerks.
[Highly Sensitive]
POL ARC Meeting-10/07/23 95 of 111
UKG100044335
UKG100044335
Tab 13 Speak Up Report to ARC Members.
96 of 114
. One case of bullying by a contractor was closed as “substantiation undetermined’
with the reporter being directed to ER for advice.
e Four cases were closed as ‘unsubstantiated’ as there was not enough evidence to
support the claims.
* Two of bullying (one a PIDA case and detailed in that section), the other
was a report from staff members accusing the postmaster of bullying
behaviour. These members of staff produced an unauthorised recording of
an alleged incident, although upon listening to the recording it was deemed
that the postmaster behaved in a courteous, professional manner. Staff
members referred to ACAS.
e One case of potential Money Laundering where PSNI reported a large
volume of Scottish & Irish notes being returned to Bank of Ireland by a
branch in Northern Ireland. It was later established that the cash had been
repatriated by the cash centre.
e The fourth unsubstantiated case related to an allegation of theft of a parcel
at a branch. The reporter claimed that Royal Mail had left a parcel at branch
for them to collect, however, it was not there when they went to pick it up.
The delivery image did not clearly show where the parcel had been left, and
it was not signed for. Royal Mail could provide no further details. The
branch has now closed and as such we are unable to progress this any
further.
e Three cases were closed as ‘other’. These were either signposted or passed to
other teams / agencies to deal.
Outreach
This quarter, the Speak Up function has been promoted by the team to:
e Contracts Advisor Leander Fitzharris for onward dissemination to the wider team,
Finsbury Dials
« NFSP Conference, Stratford on Avon
« Network Monitoring, Network Reconciliation, Network Support & Resolution Team (tier
2), Case Review & Investigation Team (CRIT - tier 3) and Contracts - all postmaster
facing teams, Chesterfield and on TEAMS.
Challenges
The continued lack of reliable, comprehensive reporting system with functionality for direct
reporting, analysis, and data sharing hinders the effectiveness of the team in managing
individual cases but also in thematic analysis.
Difficulties around extracting and maintaining data in the current stand-alone Speak Up
reporting platform leads to potential duplication of work also being recorded elsewhere.
Lack of investigative resource as more complex, time intensive cases are received.
Lack of resource in other departments means delays in receiving supporting reports and
information.
3
[Highly Sensitive]
POL ARC Meeting-10/07/23
Tab 13 Speak Up Report to ARC Members
@
UKG100044335
UKG100044335
Lack of police buy-in for some investigations, and then constraints within POL in producing and
exhibiting evidential matter.
Appendix 1
Now Reported
Subject
Status
[Highly Sensitive]
POL ARC Meeting-10/07/23
97 of 111
UKG100044335
UKG100044335
Tab 13 Speak Up Report to ARC Members
‘Speak Up Cases Received
PIDA? @Xo
Jan
ay apr
Reports Received into Speak Up by Quarter
a Speak Up Cases Received Apr ~ Jun 2027
3 How Reported
@ hres Manager
@ Customer Su.
@ direct Whists..
@Graoevine
MService & Su...
Jan - Mar 2023 Apr - Jun 2023
[Highly Sensitive]
98 of 114 POL ARC Meeting-10/07/23
UKGI00044335
UKGI00044335
Tab 13 Speak Up Report to ARC Members
Speak Up Cases Closed Apr - Jun 2023
Type Other Partially Substantisticn Unsubstantiated
Substantiated Undeterm’ned
“Bullying { 1 2
Theft I ‘
Compliance/Reguiation Violators 1
Employee Relators I 1
Madem Slavery
Money Laundering +
Unprofessionsl Behavior
Total 3 2 1 4
Subjects of Speak Up Cases Received
Month Contractanagency Employee Officer In Charge Other Postmaster Total
worker
January 2 3 5
February 1 1 q 1 4
April 1 1 3
May 1 1
June 1 2 3
Total 5 3 1 6 16
6
[Highly Sensitive]
POL ARC Meeting-10/07/23 99 of 111
UKG100044335
UKG100044335
Tab 14.1 Procurement Governance & Compliance
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
Title:
Procurement Governance &
Compliance Report Meeting Date: I 10 July 2023
Author: Liam Carroll - Procurement Director I Sponsor:
Alisdair Cameron, Group Chief
Finance Officer
Input Sought: Noting
The Committee is asked to review the report, noting the Procurement Risk Exceptions submitted
to the Post Office Limited Group Executive and Board since May 2023. A visual breakdown of
all Open incidents on 1 June 2023 is available in Appendix 1.
Executive Summary
1.
Since the last RCC and ARC report in May 2023 there have no new Risk Exceptions
submitted to the Group Executive and Board for approval. Our overall non-compliance
value has remained at £12.7M.
. There are a number of issues with the data quality of contracts held in the Web3 system
which may lead to the discovery of further non-compliance. A paper is being prepared by
Legal and Procurement setting out the issues and improvement recommendations it will be
tabled for discussion at GE in August, and then brought to RCC and ARC in September for
discussion and approval.
Report
3.
Across the Group1 Post Offices operates a decentralised contract management model
whereby individuals across the business are responsible for managing relationships
between Post Office, vendors, and the respective contracts. This model was approved at
ARC in September 2020 being considered more cost efficient and less disruptive than
creating a centralised contract management team.
. In 2021 a previous report to RCC and ARC highlighted the continuing issues with the
adoption and embedding of the management of contracts across the business. Several
improvements in training and reporting were implemented.
. Despite the previous work undertaken to address the aspects highlighted in 2021 we are
still seeing significant compliance issues in the adoption of the Contract Management
Framework.
Compliance issues
6.
Quality of information in the Contract Management repository:
e The initial contract loading in 2021 included many expired/historic contracts, they and
many of the records created since have missing or incorrect information that has not
been updated.
« There is no process established to manage movers and leavers from within the
business and therefore the Contract Management module has a lot of orphaned
information. This makes the reporting from the system inaccurate.
1 Post Office Limited, Payzone Bill Payments Limited, Post Office Management Services.
Confidential
100 of 114
POL ARC Meeting-10/07/23
UKG100044335
UKG100044335
Tab 14.1 Procurement Governance & Compliance
« There are many contract records in draft/ failed status that require housekeeping to
enable accurate reporting and compliance assurance.
« The contract module is designed to send automated notifications to the Contract and
Sourcing Managers 90, 60 and 30 days prior to contract expiry. However, this is reliant
on the information in the Contracts Module record being up to date.
« Reporting from the Contract Management Module is inaccurate due to the inaccuracy in
data. GE members receive monthly reports to monitor contracts for their business
area, but contracts will only be listed in their reports if they are named as GE owner on
the contract record, from a recent snapshot only 55% of the records had the
information accurately recorded.
7. Confusion on the information to be loaded into the CAF and Web 3 systems is leading to
inconsistencies in the data and compliance issues, such as the option to raise the eCAF for
the initial term or the initial term plus any extensions leading to inconsistencies in the data
and compliance issues. By doing it for the initial term plus extensions it saves on the
requirement to return through governance for additional approvals when the contract is
being extended, but:
e This means that the record is incorrect for Contract Management from the outset and
the reporting from the system is incorrect.
« The Contract Manager and Sourcing Manager will not receive reminders before the
contract expires after the initial term.
e Monitoring compliant spend against the contract is more complex, as the contract value
shown in the system is incorrect.
« Only the Procurement Manager who procured the contract or the initial Contract
Managers who were involved in the Contract record creation would understand the
correct position — and with the turnover in the business, this is not robust.
« Any Contract Managers picking up contracts in the future would not have visibility of the
CAF (the business does not have access to the CAF system and no copy of the completed
CAF is saved on the contract record) and would have a misleading impression of the
contract.
Next Steps
8. Recommendations on how to address and resolve the issues highlighted in the report
above will be brought to GE in August before being taken to RCC and ARC for discussion
and approval.
Confidential
POL ARC Meeting-10/07/23 101 of 111
UKG100044335
UKGI00044335
Tab 14.1 Procurement Governance & Compliance
®
Owen ACI £392,380 14/04/2020
Woodley
Banking Services. I Commercial I Owen I Barclays I £320,000 I 25/06/2020 I 16/03/2025
Board
Woodley
Payout Services Commercial I Owen I Zunoma I £2,700,000 I 01/09/2020 I 30/06/2023
Board
Woodley
Property Retail Martin I Insafe I £9,300,000 I 06/06/2018 I 31/10/2023 Board
Roberts
‘£12,712,380
ACI - Board approved direct award in April 2020
The items purchased through CACI are OCEAN & FRESCO, which are attitudinal segmentation, that when applied to
the POST Office customer database (BRANDS) allows us to do the following:
e Provides the underlying data which enables the new Post Office customer segmentation
This enables us to then run counts in BRANDS of how many customers we have in each of these segments
FRESCO & OCEAN are also the underlying data that powers our CRM propensity modelling.
There is currently no framework in place for these tools and to run an FTS procurement would take at least 6 months.
At this date there is no appetite for an FTS procurement to take place as we would have to re-create the entire Post
Office Segmentation every 2-3 years to accommodate another vendor.
Banking Services - Postal Orders and Camelot Cheques. Service originally with Co-Op. they terminated the contract in
order to exit cheque clearing market. Barclays stepped in to pick up service as very similar to cheque clearing. As
agreed with Board in November 2021 the corporate banking contract with Barclays was extended compliantly under
Reg 72 of PCR 2015. Given the synergies of the contracts and the uncertainty over Camelot’s contract for the National
Lottery it was agreed to continue the contract with Barclays for Camelot Cheques and Postal Orders.
Payment Services — Board approved direct award in November 2022. Zunoma (previously Smith & Ouzman), have
been operating as POL’s security print provider since the commencement of Payouts in 2006. The original contract
was created in June 2018 and backdated to 2015. The contract expired in July 2019. The Energy Payouts were put
through the Zunoma contract as this was seen by the Business as a continuation of a BAU service.
The direct award of the contract to Zunoma is non-compliant with the Public Contract Regulations. It is Procurement’s
view that we are unlikely to receive a challenge to this direct award.
Insafe International Ltd - In June 2018 Post Office compliantly let a contract for the supply and installation of branch
cash safes and associated equipment (timers, locks etc) for an initial five-year term with three optional twenty-four-
month extensions with a total contract value of £3.8m.
Although BAU spend has been well managed at £2M, an additional £9.9M has been spent on non-BAU projects.
Current spend has reached £11.9M with a projected additional spend of £1.2M to March 2024.
This over-spend represents a significant failure to adhere to the Contract Management Framework. The risk of a
challenge arising is low and further mitigated by the plan to re-procure by October 2023.
Confidential
102 of 111 POL ARC Meeting-10/07/23
UKG100044335
UKG100044335
Tab 14.2 Fraud Risk
Post Office Limited - Document Classification: INTERNAL
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
Title: Fraud Risk Management Meeting Date: I 10 July 2023
Rebecca Barker (Head of Risk),
Author: Johann Appel (Director of Audit and I Sponsor: Alisdair Cameron
Risk)
Input Sought: Noting
The committee is requested to:
i. Note Post Office approach to Fraud Risk management and Central Risk’s assessment of
the current fraud risk and controls.
Executive Summary
The committee requested a bottom-up review of fraud risk across Post Office. Following the
implementation of ServiceNow GRC, we are now in a position to perform such a review.
We note that there is no overarching fraud risk appetite, rather the appetite for the different
fraud events varies based on the applicable business area or product. For example it is
acknowledged that there is a higher inherent fraud risk associated with money transfer
products.
We highlight that some imminent legal and regulatory changes will increase the need for
enhanced fraud risk management in Post Office, specifically:
e The government are looking to introduce the new Economic Crime and Corporate
Transparency Bill, introducing specific ‘failure to prevent’ offences, including failure to
prevent fraud by an associated person (as well as computer misuse and human rights
abuses).
e The BEIS whitepaper on ‘Restoring Trust in Audit and Corporate Governance’ will require
Directors of Public Interest Entity companies to report on the steps they have taken to
prevent and detect material fraud. Detail on what this disclosure will look like and where it
would be presented in the ARA has not yet been communicated.
Fraud Risk management is fragmented across the Post Office and ownership of activities falls
to several teams, however, from our high level assessment we have not identified any
material gaps which could cause concern of not being able to comply with proposed new
regulations of ‘failure to prevent’.
Report
1. Fraud Risk Context: Fraudulent action can be committed by persons internal or external
to the organisation. Fraud can result in material financial or reputational impact to the
business. Fraud risk can arise from inadequate or failed internal processes or systems,
human error or misconduct. Correctly implemented, fraud risk management reduces the
risk of financial crime such as fraud, theft, embezzlement, and money laundering and other
offences such as bribery, corruption, and extortion.
Confidential
POL ARC Meeting-10/07/23 103 of 111
UKG100044335
UKG100044335
Tab 14.2 Fraud Risk
Post Office Limited - Document Classification: INTERNAL
2. Approach To provide an overview of fraud risk identification within the business, the
Central Risk team have referred to the National Crime Agency standards to assess our
approach to fraud risk management. Their strategy addresses the four strands to act on
organised crime, known as the four Ps;
e Pursue - Identifying the source of fraud.
e Prevent - Controls to prevent fraud from occurring.
e Protect - Strengthening our protection against fraud.
e Prepare - Mitigate the impact of fraud.
3. Pursue: Once fraud has been identified an investigation will be completed by the relevant
team - external fraud against products and services (customer fraud) is investigated by
the Financial Crime and Product teams and internal fraud by POL’s Central Investigations
Unit (CIU). The teams will work/collaborate with the Police/Business owner/Network to
understand the source and to ascertain the cause and if the fraud is isolated or not. The
Central Risk team will form part of the output of the investigation, where required, to ensure
the identification of the causes are mitigated and will assess the impact of this to existing
risks. There are several teams across the business which have processes in place to help
identify the source of fraudulent activity:
e Financial Crime Team (Anti-Money Laundering, Anti Bribery and Corruption, and
Financial Crime).
e Security Operations (Security operations and network monitoring Cyber Security team
monitors incidents raised via colleague and branch, track independent security finds
by criticality and monitors vulnerabilities across the estate).
e Grapevine - fraudulent activity identified by any Post Office employee, Postmasters or
their staff are reported to Grapevine, along with Suspicious Activity Reports where
money laundering is suspected.
e ‘Speak up’ whistleblowing service, enabling all employees, Postmasters and their staff
and external other stakeholders to raise concerns in confidence (and anonymously, if
preferred).
4. Prevent: Key controls are in operation (active on Service Now GRC) across the business
that help to reduce the likelihood of a fraud materialising. There are currently 1012 controls
actively managed with control attestations taking place annually or monthly. Control
attestations, issues and non-compliance of controls are managed across the business by
the compliance manager leads.
e Overarching governance controls, such as delegation of authority and segregation of
duties.
e There are controls across Finance (monitor aged debts, hedging, cashflow, manage
network cash, banking payments), Technology (management practice, governance,
protective technology, user access controls and identity and access management
systems), Postmaster Onboarding (vetting, smart ID, joiners & leavers), Service and
Support (transaction corrections, banking enquiries, stock discrepancies) and Supply
Chain (operational management, physical & environmental protection).
e Financial Crime Team undertake annual assurance exercises, recently reporting on
Financial crime, ABC and AML/CTF.
e Several key policies are in place and include, but are not limited to, Code of Business
Conduct, Financial Crime Policy, Cyber & Information Security, Modern Slavery, ABC,
AML and FOI. Each Policy contains a set of minimum operating standards relating to
2
Confidential
104 of 111 POL ARC Meeting-10/07/23
UKG100044335
UKG100044335
Tab 14.2 Fraud Risk
Post Office Limited - Document Classification: INTERNAL
the design and implementation of controls, and policy owners undertake regular
assurance against those minimum standards. The Financial Crime Policy includes a
number of fraud control minimum standards (e.g. people vetting, building access
control, etc.). Compliance with these policies supports the Group in meeting its
business objectives and to balance the needs of shareholders, staff and other
stakeholders.
e Internal Audit provides independent validation of the effectiveness of the self-
attestation process of the Financial Reporting controls on an annual basis, as well as
regular reviews of other control frameworks, such as the IT Control Framework.
5. Protect: Post Office has processes and procedures in place to support how we strengthen
our protection against fraud - this is managed by a number of teams across the business
as listed below:
e Cyber Security protecting our networks, deploy endpoint detection and prevention
tools to thwart malicious hacks, managing software patching, monitor the network and
applications to identify irregular activity.
e Data Protection ensuring compliance to data protection.
¢ Financial Crime Team complete regular financial crime risk assessments for high risk
products and services. FCT will identify new risks including fraud risk, e.g., product or
transaction limits and ID requirements to meet money laundering regulations, unusual
activity, etc. The Central Risk Team are engaged in this process.
e Product Management are responsible for keeping the Product Information Pack (PIP)
up to date in line with any product changes. The purpose of the PIP is to provide an
overview of the product or service, including customer/transactional journey, parties
involved, any contractual responsibilities, monitoring and control requirements.
Central Risk Team are engaged in this process to ensure any new risks identified in
this process are being raised and managed by the business.
6. Prepare: There a number of processes and procedures in place across the business to
respond to instances of fraud and further mitigate the risk of fraud. These are:
¢ Central Investigations Unit investigate and mitigate incidents.
e Security teams continue with phishing tests, educating employees on how to identify
suspicious activity, etc.
« A programme of annual compliance training and tests for all employees, contractors,
and Horizon users (e.g. ABC, AML, Information Security, Data Protection).
¢ Risk Management process in place to ensure 1* line risk owners are responding to risks
and mitigating risks.
Conclusion
7. In order to provide an ongoing holistic view of fraud risks, controls and visibility of fraud
prevention across Post Office, the business would benefit from having all fraud risks and
controls captured within Service Now and correctly mapped, albeit it is acknowledged that
currently there is insufficient resource/bandwidth in the front line to achieve this.
8. We recommend that going forward any risk relating to fraud in SNOW GRC is tagged to
highlight they are a fraud risk. This will enable the Central Risk team to provide assurance
over fraud risks across the business. We also recommend that a deep dive of fraud risks
should be presented to the ARC in July 2024.
Confidential
POL ARC Meeting-10/07/23 105 of 111
Tab 14.3 Committee Forward Plan
UKG100044335
UKG100044335
‘Audit Rsk & Compliance Comittee Forward on January 2023 - March 2028
: 8 —— 2 SS ee :
aint rom I timed ace, I aonisnn I sarnsoas I serenaans I serene I saynrama I synarsa I sootsene I seensone tae
STANDING 11245 FOR NOTING (MO PRESENTATION)
108 of 141
POL ARC Meeting-10/07/23,
UKG100044335
UKG100044335
Tab 14.3 Committee Forward Plan
- cette oceans I ty I are I mye I nme I nr I sre I arn I inn I me _
er SSC HE
ontener eall S - =
lemmtnettentegrace — fowrageasnoisin farce — eens “
POL ARC Meeting-10/07/23, 107 of 111
UKG100044335
UKG100044335
Tab 14.3 Committee Forward Plan
en nin tage orm I Antois I Semen, I yas I aananas I seesanas I svesrana I aynrans I anjsyasa I aaouanne I aen/sone nee
bicep reer gue rne - fea nv
108 of 141 POL ARC Meeting-10/07/23,
Tab 14.3 Committee Forward Plan
UKG100044335
UKG100044335
Jrmeems rar ateree tat npy te besa I we cdot
POL ARC Meeting-10/07/23, 109 of 111
UKG100044335
UKG100044335
Tab 14.3 Committee Forward Plan
Hl
proses I mja/aan I sapntnss I syarrns I ayoraen I a/syana I anou/nne I aeeaone nee
110 of 141 POL ARC Meeting-10/07/23,
UKG100044335
UKG100044335
Tab 14.3 Committee Forward Plan
POL ARC Meeting-10/07/23, 114 of 114