UKGI00044336
UKG100044336
Agenda
Meeting: Audit, Risk & Compliance
Committee
Date: 16 May 2023
Time: 09:00 - 11:30 hrs
Location: 20 Finsbury Street, London,
EC2Y 9AQ / Microsoft Teams.
Meeting Room: Moorgate
Present: Invited Attendees:
Simon Jeffreys (Chair)
Elliot Jacobs (NED)
Andrew Darfoor (Observer)
Amanda Burton (NED, Observer)
Lorna Gratton (NED, UKGI)
Tim Bennett (Senior Internal Audit Manager): Item
3.3
Zdravko Mladenov (Group Chief Digital and
Information Officer): Items 3.3, 4 and 5
Matt Taylor (Head of Data Management): Item 4
Vishal Thanki (Data Governance Lead Contractor):
Item 4
Kayleigh Dodd (Digital/Physical Records Manager):
Item 4
Dan Pearson (Director, PwC): Item 6
Martin Kearsley (Product Portfolio Director -
Banking, Payments and Transactional Products):
Item 6
Regular Attendees:
Henry Staunton (Group Chairman)
Tom Lee (Group Financial Controller): Item 6
Sarah Gray (Group Legal Director): Item 7
Ben Foat (Group General Counsel)
Andrew Paynter (Partner, PwC)
Sarah Allen (Director, PwC)
Anshu Mathur (Group Assurance Director)
Johann Appel (Head of Internal Audit)
Jonathan Hill (Group Compliance Director)
Carol Murray (Deloitte Partner)
Rachel Scarrabelotti (Company Secretary)
Marie Molloy (Senior Assistant Company
Secretary)
Apologies:
Nick Read (Group CEO)
Alisdair Cameron (Group CFO)
Strictly Confidential
Time Item Owner Action
09.00 1. Welcome & Conflicts of Interest Chair Noting
09.00 _I 2. Previous Meetings
2.1 Minutes Chair Approval
(i) 28 March 2023
2.2 Action List Chair Noting
1
POL ARC Meeting-16/05/23
1 of 85
UKG100044336
UKG100044336
Agenda
2.3 Draft Risk and Compliance Committee Alisdair Cameron Noting
Minutes (9 May 2023)
3. Risk, Compliance and Internal Audit
Updates
09.05 3.1 Risk Report & Dashboard Johann Appel Approval/
* Risk Appetite Statements Noting
(People)
« Retail & Franchise Risk &
Group Corporate Affairs
Risk Deep Dives
09.15 3.2 Group Compliance Update Jonathan Hill/ Noting
Anshu Mathur
09.25 3.3 Internal Audit Report Johann Appel/ Noting
Tim Bennett/
Zdravko Mladenov
09.35 I 4. Data Governance Framework Approval Zdravko Approval
Mladenov/
Matt Taylor/
Vishal Thanki/
Kayleigh Dodd
09.45 I 5. Technical Assurance Plan for SPM Zdravko Noting
(Verbal Update) Mladenov/
Anshu Mathur
09.55 I 6. Outcomes from the Banking Framework Dan Pearson/ Noting
assurance engagement Martin Kearsley/
Tom Lee
10.05 I7. Policies for Approval Jonathan Hill Approval
7.1 Internal Audit Charter /Sarah Gray
7.2 Business Continuity Policy
7.3 Speak Up Policy
7.4 Group Legal Policy
10.15 I 8. Committee Evaluation Chair I Noting/Discussion
10.25 I9. Any other business All
10.30 I 10. I External Audit to meet with ARC Members
2 of 85
Strictly Confidential
POL ARC Meeting-16/05/23
UKG100044336
UKGI00044336
Agenda
@
POST OFFICE LIMITED
Items for Noting
These items will not be presented to the Committee and any questions should be sent to the Secretary for
submission to the author for response. Questions and answers will be recorded as appendices to the meeting
minutes.
1. Procurement Governance & Compliance Liam Carroll
2. Post Office Insurance ARC update Tan Holloway
3. Payment Practices Reporting Compliance Tom Lee
4. Strategic Partner Risk & Failure Monitoring Abigail Mcgeever
Paper & Dashboard
5. __I Committee Forward Plan CoSec
Next ARC Meeting:
« Wednesday 21% June 2023 at 09:00 - 09:55 via Microsoft via Teams.
Strictly Confidential
POL ARC Meeting-16/05/23 3 of 85
Tab 2.1 Minutes of28 March 2023
UKGI00044336
UKG100044336
@
POST OFFICE LIMITED
MINUTES OF A MEETING OF THE AUDIT, RISK AND COMPLIANCE COMMITTEE OF
POST OFFICE LIMITED HELD ON TUESDAY 28" MARCH 2023 AT 20 FINSBURY
STREET, LONDON EC2Y 9AQ AT 10:00 AM
Present:
Invited Attendees:
Simon Jeffreys (Chair)
Lorna Gratton (Observer - UKGI) (LG)
Elliot Jacobs (NED) (EJ) (entered the meeting
at 11.12)
Anshu Mathur (Interim Group Compliance
Director): Item 3.2 (AM)
Tom Cooper (NED, UKGI) (TC)
Zdravko Mladenov (Group Chief Digital and
Information Officer): Items 4, 5, 6 and 7 (ZM)
Matt Taylor (Head of Data Management): Items 4 &
5 (MT)
Regular Attendees:
Vishal Thanki (Data Governance Lead Contractor):
Items 4 & 5 (VT)
Henry Staunton (Chairman, POL) (HS)
Kayleigh Dodd (Digital/Physical Records Manager):
Items 4 & 5 (KD)
Nick Read (Group Chief Executive Officer) (NR)
Zoscha Partos (Deputy Data Director): Items 4&5
(ZP)
Alisdair Cameron (Group Chief Finance Officer)
(ac)
Ben Foat (Group General Counsel) (BF)
Dean Bessell (Interim CISO for Retail and
Control):Item 6 (DB)
Martin Kearsley (Product Portfolio Director -
Banking, Payments and Transactional Products):
Item 8 (MK)
Andrew Paynter (Partner, PwC) (AP)
Haydn Horner (Senior Manager, PwC) (HH)
Tim McInnes (Strategy and Transformation
Director): Item 10 (TM)
Jo Welch (Head of Change Risk & Assurance):
Item 10 (JW)
Carol Murray (Deloitte Partner) (CM) (entered
the meeting at 10.24)
Emma Gauntley (Deloitte Senior Manager) (EG)
Tom Lee (Group Financial Controller): Item 11
(TL)
Christine Kirby (Head of Financial Controls and
Assurance): Item 11 (CK)
Johann Appel (Head of Internal Audit) (JA)
Tim Bennett (Senior Internal Audit
Manager)(TB)
Rebecca Barker (Deputy Head of Risk) (RB)
Jonathan Hill (Group Compliance Director)(JH)
Rachel Scarrabelotti (Company Secretary) (RS)
Marie Molloy (Senior Assistant Company
Secretary) (MM)
Apologies:
Sarah Allen (Director, PwC) (SA)
Action
1. Welcome and Conflicts of Interest
A quorum being present, the Chair opened the meeting. The ARC acknowledged
the attendance of LG as an observer at this meeting. As an observer, the ARC is
aware that all contributions made by LG to this meeting are observations only,
and do not constitute advice, recommendations, directions or instructions. The
ARC confirms that it will take due care not to be unduly influenced solely by a
STRICTLY CONFIDENTIAL
POL ARC Meeting-16/05/23
Tab 2.1 Minutes of28 March 2023
POST OFFICE LIMITED
UKG100044336
UKGI00044336
contribution made by LG and that it will reach its conclusion based on a
balanced and diligent assessment of all of the facts available to it.
1.2
The Directors declared that they had no new conflicts of interest in the matters
to be considered at the meeting in accordance with the requirements of section
177 of the Companies Act 2006 and the Company’s Articles of Association.
Previous Meetings
2.1
The minutes of the Audit, Risk and Compliance Committee meeting held on 23
January 2023 were APPROVED and AUTHORISED for signature by the Chair.
2.2
Progress against the completion of actions as shown on the action log was
NOTED.
2.3
The Chair asked about monitoring actions arising from RCC. AC confirmed there
was a separate log that was reviewed at each meeting. It was agreed that any
long overdue actions from RCC would be flagged to the Chair and the Chair would
be invited to an RCC meeting as an observer.
The draft minutes of the Risk and Compliance Committee held on 14* March 2023
were NOTED.
Risk, Compliance and Internal Audit Updates
Risk Report & Dashboard
RB presented the Risk Report & Dashboard. RB highlighted that the recent risk
assessment of cyber loss of availability has increased, which was expected
following the recent attacks on Post Office Insurance;
RB identified two risks which have moved from Within tolerance to
outside tolerance; Post Office Insurance cyber risks and increasing money
laundering through the branch network.
RB drew attention to the proposed Commercial appetite statements, detailed at
Appendix 3, which had been reviewed with the Commercial Team. RB was also
seeking approval of the Risk Harm Table, contained in the reading room, as this
is reviewed by ARC annually. No changes had been made to this table from the
previous year.
TC asked about the impact of the POI attack on the business. JA believed that
the impact was minimal but ZM was attending the meeting for other items and
could advise.
HS reference cyber risk at paragraph 7 and how well POL were covered in this
respect. AC did not consider POL were in the right place regarding cyber risk.
The previous POL ARC Chair had written and met with the BEIS ARC Chair to
highlight that POL were exposed in this area and were not managing this risk.
AC also recognised that there would be additional risk cyber risk in relation to
NBIT, due to its greater connectivity.
TC recalled an audit that Deloitte had previously conducted that placed POL mid
of the pack at that stage, in regards to cyber security. AC considered that the
external context had moved on in the last two years and the updated view was
that £20m was required to be spent on POL cyber security. NR confirmed there
had been 800 cyber incidents in February 2023 alone. He considered that POL
were now below the pack regarding cyber security.
STRICTLY CONFIDENTIAL
POL ARC Meeting-16/05/23
5 of 85
Tab 2.1 Minutes of28 March 2023
UKG100044336
UKG100044336
6 of 85
The Chair summarised that the risks were outside tolerance and appetite but
that POL was continuing to tolerate the situation. AC confirmed that BEIS were
informed regarding the key risks outside tolerance. AC flagged the Fujitsu exit
and delivery of NBIT as existential risks to POL. There were to be funding
conversations with the Government in the next few months.
The ARC
« APPROVED the proposed appetite & tolerance levels for Commercial
Risk;
« APPROVED the annual sign-off of the corporate Harm Table and
« NOTED the status of top operational and strategic risks.
3.2
AM entered the meeting.
Group Compliance Update
CONFIDENTIAL
The Chair asked if there was a path to green for the unstructured hard copy
data. JH advised that the data team had a plan to address this which was
subject to funding discussions and was to be presented to the ARC in a later
item.
JH highted AML and was aware that ARC had an item regarding Banking and
deposit limits later in the meeting. The Chair asked if the risk was for POL or the
Banking partners. JH considered it a reputational risk and a commercial risk as
the Banking partners would stop using POL if POL controls were deemed not to
be adequate. JH considered that there were the right controls at the POL end
since KYC was predominately a Bank accountability.
CONFIDENTIAL
JH discussed the £90m fine William Hill had received due to lack of historical
control. AM considered the principle was the same for Banks in relation to
protecting participants/the customer with the onus on POL to demonstrate
controls around splitting and placement of deposits. AC considered the Banking
report to be overly optimistic regarding the risk of changes to deposit limits.
ACTION: The Chair requested a compare/contrast exercise with the situation at
William Hill. JH
CM entered the meeting.
TC suggested the use of Yoti regarding HMRC Fit and Proper reporting issues. JH
advised that it was not a question of how Postmasters checks were done, they
were accurate, it was regarding extracting information from the system. AM
STRICTLY CONFIDENTIAL 3
POL ARC Meeting-16/05/23
Tab 2.1 Minutes of28 March 2023
@
POST OFFICE LIMITED
UKG100044336
UKGI00044336
confirmed that the manual controls are complaint. BF confirmed that a full
update on next steps, timelines and residual risk will be provided at the May
RCC.
AM provided an update on historical matters assurance.
The assurance review of the Stamp Stock Scheme (SSS) is now complete and a
final draft report has been sent to the Historical Matters Governance team. AM
noted that the key findings from the preliminary report in October 2022 were all
incorporated with SSS and have been taken forward in other schemes by the
HSS team.
In relation to CIJ assurance, AM advised that there were 365 lines of interest
and 80% of the fieldwork had now been completed. HIJ Assurance have
received all the data sets from the Technology Team and are targeting to
complete the assurance reviews by end of April 2023. AM contrasted the more
binary data sets of CIJ assurance with that of HIJ assurance and the key
challenge will be to assess how the various documents and evidence provided
actual measure against the desired outcomes of the judgements. AM would
bring this back to the ARC once completed.
TC asked about the HIJ risk to POL and the Shareholder. NR confirmed that IDG
2.0 would be reassessing and working through this. TC discussed demonstration
of evidence of the conformance and that it was being actively lived in the
business, rather than just policy. TC requested that aspects that could not be
resolved before the Inquiry be flagged to the POL Board. The Chair and HS were
to have an offline conversation regarding governance, high level strategy and
maturity implementation. ACTION: An overall plan for HIJ including timetable,
POL ARC Meeting-16/05/23
governance and assurance activity to be presented to ARC and POL Board. zm
The ARC NOTED the Group Compliance Update.
AM left the meeting.
3.3 Internal Audit Report
JA introduced the Internal Audit Report. JA advised that the remaining nine
internal audits to deliver in the programme this year were in flight. Two reports
had been finalised; Integrated Settlement and Billing which was rated
satisfactory and IT Control Framework which was rated as needs improvement.
The SPM release 2 report was being finalised and IA have concluded that there
is a major risk to delivery.
JA confirmed that since the report was completed two more actions have been
closed and there were 10 overdue actions currently.
The meeting discussed the integrated assurance approach which was 11 months
overdue. ZM was working on the technical assurance, being presented later in
the meeting. AC confirmed there was no integrated plan at the moment. JA will
continue to track the open action and provide an update at each ARC until
completion.
Internal Audit CoSource Independence Report including non-audit fees
JA confirmed the completion of declarations of Independence by in-house staff,
Deloitte and Mazars and that the non-audit spend was well within the limits.
STRICTLY CONFIDENTIAL 4
7 of 85
Tab 2.1 Minutes of28 March 2023
POST OFFICE LIMITED
UKG100044336
UKG100044336
The ARC:
« NOTED the Internal Audit Report and
« NOTED the Internal Audit CoSource Independence Report including non-
audit fees.
3.4
2023/24 Internal Audit Plan
TC asked if being behind on this year’s IA programme would impact next year’s
programme, particularly in light of the decreased budget. JA said that any
impact would be minimal as the remaining IA’s had already been started and
noting the audit year was May to May.
The Chair enquired about the reduction in IA’s from 30 to 22. AC confirmed this
was to reduce cost. JA also outlined this decreased the impact/footprint on the
business in the context of NBIT and the Inquiry. The Chair considered the three
year rolling plan and if everything was being covered that should be. JA
confirmed the plan was comprehensive and the majority of the core processes
and those with a critical impact are still being covered by the proposed plan.
The ARC APPROVED the proposed internal audit programme for 2023/24.
4&5
Impact of Data Management Funding Reduction & Unstructured Data
ZM, MT, VT, KD & ZP entered the meeting.
MT advised there had been a number of funding rounds and the current funding
allocation for the remediation of POLs risk profile for structured data stands
at £1.5 over 3 years, with £0.9m remaining, with no explicit funding for
unstructured data, beyond a single BAU resource. The 11.5k Post Office
branches produced a lot of paperwork which presented a large risk to the
organisation.
The Chair asked about the significant decrease in funding and the impact of the
£1.5m of funding. ZM advised that risk in relation to unstructured data is
outside appetite and tolerance and risk for structured data is outside appetite.
With the current funding of £1.5m the risk level remained significant, ZM
confirmed. ZM outlined the proposed investment of £7.2m over two years,
which is pending approval, would bring unstructured and structured data to a
more acceptable point but would not be enough to remediate every issue.
TC asked about the Inquiry lawyers in the context of unstructured data and
indexing. BF outlined that the pace they were required to produce documents.
Rule 9 requests and Section 21 requests which only give 3 days to produce the
documents were discussed. Indexing was challenging as the Inquiry lawyers
were not experts in POL data systems. ACTION: BF and MT to have an offline
conversation about the Inquiry team in the context of indexing and working with
the data management team.
TC asked about the historic data and replication. INFIDENTIAL
INTIAL whilst acknowledging that the Inquiry was a small
subset and that not everything was indexed and logged properly.
MT/BF
STRICTLY CONFIDENTIAL
8 of 85
POL ARC Meeting-16/05/23
Tab 2.1 Minutes of28 March 2023
@
POST OFFICE LIMITED
UKG100044336
UKG100044336
The Chair asked about the cut off from this point and indexing unstructured
data as it is created. MT discussed the challenges and that building a central
indexing site managed by Post Office was proposed which could differentiate
between data that needed to go into storage and that which could be disposed
of.
ee
AC differentiated between branch data and controlled post office data as
branches had been told to print off data each week but POL had no control over
this data. ZM and MT highlighted the challenges around branch data with the
proposed indexing site providing the only solution to address this. LG asked
about the use of AI in scanning and indexing at a central site. ZM acknowledged
there was work required to improve on this. ACTION: A plan to be presented to
ARC regarding branch data.
AC also raised the issue of use of personal devices for work purposes in light of
recent use of WhatsApp messages for government business,
TC noted that POL were not meeting statutory obligations with the current
funding. AC was proposing to start spending the money before funding was
received due to the seriousness of this situation.
TC asked about the Horizon data sites in Belfast, post Belfast Exit. ZM confirmed
that data would be migrated offline to a cold storage facility location. This data
would be required for legal and compliance purposes and POL would be able to
access the data when required. TC asked about challenges after migration. ZM
confirmed that 90 days’ worth of data would still be accessible to postmasters
and would utilise NBIT.
The Chair anticipated a Board paper regarding the £7.2m investment proposed.
ZM confirmed there was a plan for the additional funding but he could not
confirm the head count required as yet. AC confirmed that the business could
not be run knowingly in breach of legal responsibilities and that funds would
have to be spent on this. MT advised there had been a request for NBIT to stop
printing, but this has not been confirmed and there may still be a requirement
to do so.
The ARC NOTED the Impact of Data Management Funding Reduction &
Unstructured Data.
MT, VT, KD & ZP left the meeting.
KD
Cyber Security & Ransomware Update
DB entered the meeting.
TC asked about the impact of the POI attack on the wider business. ZM believed
this was minimal as the Insurance business was isolated from the core system,
but this would be confirmed. ACTION: ZM to confirm to ARC the impact of the
POI attack on the wider business.
JA enquired if engagement with the National Cyber Security Centre was planned
regarding the ransomware playbook. BD confirmed that it was and he also met
weekly with the pan government services group at the Department of Business
and Trade.
ZM
STRICTLY CONFIDENTIAL
POL ARC Meeting-16/05/23
9 of 85
Tab 2.1 Minutes of28 March 2023
UKG100044336
UKGI00044336
10 of 85
AP noted an experience at another organisation he was aware of where mobile
devices were impacted and key people involved could not communicate with each
other in the critical initial period. ACTION: Ransomware playbook to include
provision for mobile devices being impacted.
The Chair asked about the status of the playbook. BD confirmed this was in phase
2 and would be completed in April 2023.
EJ entered the meeting
AC was keen for the relevant personnel to work through exercises once the
playbook was complete. DB confirmed this would be undertaken with GE as part
of phase 3 in Q2 2023.
Following the ransomware attack on Royal Mail Group, NR requested that lessons
learned from this be presented to ARC. ACTION: Lessons learned from the
ransomware attack on Royal Mail Group to be presented to ARC. DB to prepare
lessons learned for the ARC. DB to reach out to RMG CISO to seek an update on
the incident.
TC discussed the practical lines into the department, payment of ransoms and
government policies in this area. DB confirmed there would be a negotiation
formal exercise as part of the exercises planned in phase 3.
The ARC NOTED the Cyber Security & Ransomware Update.
DB left the meeting.
NBIT Technical Assurance Strategy Update
ZM presented the update and confirmed there were a number of activities in-
flight. The strategy to ensure the new system is technically fit-for-purpose
focused on five pillars:
« Security and Access Management
« Transaction Integrity and Data Quality
« Software Robustness
* Functional Design
« BAU Support Capability
Against each pillar, a range of KPIs has been defined, plus the activity required
of the NBIT technology team to assure delivery of those KPIs on an enduring
basis. Early-warning indicators have also been developed for monitoring during
migration.
The Chair asked if the KPI information was retrievable from the system. ZM
advised it was and the plan was to make the information publicly available. LG
enquired if this was to Postmasters or Post Office Head Quarters. AC was in favour
of complete transparency to Postmasters and information regarding if an issue
was fixed or still ongoing as this assisted Postmaster confidence and flagging of
any issues. NR agreed that the principle of transparency was the right one. EJ
recognised the differentiation between pre-launch testing and the live
environment.
The Chair asked how Mazars were selected and the experience over the first 10
days. AC confirmed there had been a competitive process resulting in the
selection of Mazars. ZM advised they appeared competent and had the right
experience in his interactions over the 10 days.
HS asked about the assurance and was keen to have a high standard. ZM
confirmed the assurance bar was equivalent to that of aircraft safety. The Chair
STRICTLY CONFIDENTIAL
POL ARC Meeting-16/05/23
Tab 2.1 Minutes of28 March 2023
UKG100044336
UKGI00044336
asked about the quality assurance KPI and ZM confirmed there was a quality
assurance function in place, however with the decimal point database issue ZM
advised this defect should have been picked up earlier.
TC noted this update was limited to technical assurance and asked about overall
assurance of the programme. ZM referenced the BEIS IPA that had recently been
issued. AC confirmed they had to complete the plan and get Board approval. LG
was mindful of the information that the Treasury would require for sign-off. TC
discussed cost and timetable. AC advised that KPMG were supporting and working
with NR and Katie Secretan regarding the retail delivery plan. The retail and
technical elements ZM was working on would come together in a single plan. NR
confirmed the integrated plan would not be ready before the June POL Board.
LG considered if the delivery plan had learned lessons from other organisations
such as the DWP with Universal Credit. NR confirmed KPMG had been brought in
to provide information on other organisations experiences.
TC considered that the IPA review had been critical of Board engagement. HS was
looking to introduce a change in Board emphasis which would be picked up in the
Board meeting in the afternoon. TC considered a Board IT skills gap following a
Director resignation. The Chair confirmed this was being picked up by the Board.
The ARC NOTED the NBIT Technical Assurance Strategy Update.
ZM left the meeting.
Banking Deep Dive
MK entered the meeting
MK outlined that Access to Cash legislation continued to progress through
parliament and is expected to become law this summer. The impact of deposit
limits was estimated as removing c.£3.5bn cash per annum from POs, whereas
the problem the National Economic Crime Centre was aiming to prevent was only
estimated £3-500m per annum. The impact to Postmasters was discussed with
0.5% transactions failing previously and with the deposit limits in place this was
now between 3-5% for the biggest banks, up to 12% for some of the smaller
ones, of all transactions failing. Customers of the biggest banks were being
impacted the most due to their 80% market share.
MK had raised the deposit limit issue with the FCA, UKF and now Government
cabinet as this was a direct challenge to the Access to Cash legislation but
acknowledged there had been limited progress thus far. The POL budget has not
yet been impacted. POL is still over-budget for Banking, so this issue is about
additional business foregone, but Postmasters had definitely felt the issue as their
biggest local customers can no longer deposit their full amounts. This is a live
issue for Postmasters and is a potential issue for the future and the importance
of Banking was highlighted by MK. NR noted the outperformance of withdrawals
assisting to date.
E) highlighted all the work that Postmasters undertook before the transaction
failed and the impact of counting money in and back out to the customer when
failures occurred. E) also raised the exposure risk from mis-inputting the numbers
inherent in human interaction. MK noted that the set deposit limit resulted in
people with nefarious purposes changing their mode of operation within a few
days to drop below the limits and carrying on as before.
Replacing Banking deposit limits with account by account controls was 18 months
away, MK estimated. MK outlined the advantage that information from the banks
STRICTLY CONFIDENTIAL
POL ARC Meeting-16/05/23
11 of 85
Tab 2.1 Minutes of28 March 2023
UKG100044336
UKG100044336
12 of 85
regarding what could be deposited that day could assist the postmasters and
counter staff so there were not multiple attempts. This was anticipated in
June/July 2023.
MK discussed deploying Easy ID to enable those with the ID to deposit what they
needed, with those undertaking criminality not likely wanting to use a digital ID.
TC asked if the banks would co-operate with the pin, card and digital ID. MK
confirmed were engaged in the discussion and would be considering how/if to
deploy these and other methods.
MK outlined the previous proposal to the banks to conclude the issue on low value,
non-round withdrawals in the POL network, where Barclays were arguing that
some Postmasters were conducting withdrawals for retail purchases when they
had a point-of-sale terminal already. The banks were unable to agree the POL
proposal between themselves and therefore the offer expired at the end of
December 2022, as all banks had to agree to it. Barclays remained the hold out
bank and MK expected this issue to return under Banking Framework 4
negotiations.
MK confirmed that the PwC Audit of the Banking Framework had been signed off
and was being shared with the 5 institutions in the Banking Framework. PwC had
raised 17 qualifications, some of which were POL wide and some were Banking
Framework specific. The qualifications had not been weighted. Action to counter
the sharing of smart ID’s was discussed. Document governance and Policies
provided to the 5 institutions were outlined.
The Chair asked about this work having been done under the direction of POL and
potential conflict. AP confirmed this was explicitly approved by POL ARC. MK
outlined the legislation protecting the last bank in an area and TC discussed
optimising the strategy and position for POL in relation to this legislation.
The ARC NOTED the Banking Deep Dive.
MK left the meeting.
Law and Trends & Legal Risk Review
CONFIDENTIAL
STRICTLY CONFIDENTIAL
POL ARC Meeting-16/05/23
Tab 2.1 Minutes of28 March 2023
POST OFFICE LIMITED
UKG100044336
UKG100044336
CONFIDENTIAL
The ARC NOTED the Law and Trends & Legal Risk Review.
10.
Transformation Office Changes Update
TM & JW entered the meeting.
TM outlined the main risk regarding portfolio funding and the Department of
Business and Trade in relation to NBIT and the Inquiry.
The ARC NOTED the Transformation Office Changes Update.
TM & JW eft the meeting.
11.
BEIS White Paper On Restoring Trust In Audit And Corporate
Governance - Response Overview
TL and CK entered the meeting.
CK outlined the enhanced accountability for Executive and Non-Executive
Directors due to greater enforcement powers by the Audit, Reporting and
Governance Authority. This was previously applicable only to Directors who
were members of professional bodies. CK advised there would be greater
responsibility for management reporting into RCC and ARC going forward, to
provide sufficient comfort that all duties were being met
The Chair discussed Director’s attestations on controls and the potential impact
for Directors due to changes in the Corporate Governance Code. AC accepted
that Directors would require evidence to support their attestations and this
would involve additional paperwork.
CK confirmed that POL will only be able to perform a detailed impact
assessment and put forward proposals, including expected cost implications,
once guidance has been formalised by BEIS.
AP advised that there was still uncertainty in the area but POL, as a Company,
will be classified as a Public Interest Entity (PIE) under the proposed new
definition as it is a private company with revenue greater than £750m and with
more than 750 employees. POL’s subsidiaries do not meet the definition of PIE.
AP outlined that matrix would be provided to POL in April. AP suggested that a
Board Audit and Assurance Policy could be created.
EJ was concerned about the potential volume of data and requested one set of
documents that Directors were required to attest. AC agreed this would be
provided, similar to the information provided for the accounting officer.
The ARC NOTED the BEIS Whitepaper Response Overview.
TL and CK left the meeting.
12.
Policies for Approval
12.1
Cyber and Information Security Policy.
STRICTLY CONFIDENTIAL
POL ARC Meeting-16/05/23
10
13 of 85
Tab 2.1 Minutes of28 March 2023
@
POST OFFICE LIMITED
UKG100044336
UKG100044336
14 of 85
The ARC APPROVED the Cyber and Information Security Policy.
12.2 Health and Safety Policy
The ARC APPROVED the Health and Safety Policy.
13. AOB
There being no further business, the meeting was closed at 12.18 pm
14. Items for Noting
14.1 The following papers were circulated to the Committee prior to the meeting, but
were not discussed at its meeting and were NOTED by the Committee:
- Procurement Governance & Compliance
- Post Office Insurance ARC update
- Mystery Shopping Results
- Committee Forward Plan
STRICTLY CONFIDENTIAL
POL ARC Meeting-16/05/23
11
UKG100044336
UKG100044336
Tab 2.2 Action List
out otic mite Aust, nek compliance Commies
a Cd sO z SER so OEE
‘ants I 55 ntena ui A ate = travis ot eo rare
1 [rar I a3 — ie se rey ear ong win aera ee I a
[ain the CF oes rece, cme tg ease BF (yacht [RURAaIAAA connec worayer sent ju heSeera Geet tous ppg De
[ntaina cana an tentevvunrats ream aa [ce [Sea wep (echt rcs, Tar bing ers ongase ota reeds eae eae
res enter Rn tae ETH Sop sosir The ctor acre nerd rte cremate ps ab se
[moran eperang ae ume ba aed win BRE ond REC sewer) Stee Sania men corres coat —
° Pree recat 8. ae cueme
[Trae] 0 RE TOW a RERGSTEA WO SETAE SPER AY [OR RTA I 102 STRS sR REET TET RRC TES WR SESE OA POV ORI
Icree!mreatonte 835 oes apy fae mes be Vomeson por
(rei {uaa sot nearing fom iow tp ere. Unto Aaon 0 7.
[ELA Sup Na ray nth anor oP gag IG We
5 I aasa] a1 ar a wae gong oF RE oY —— RRS 2S Sa anya mie Pais NER Re NTE
gate etter, one rate cet gn ker “acne sat tke
eran at the pepe rts were owing a ee, hate
ta mre ese opome knees te hs wee oun
en ane mnt even he aoe tee nde oa Se
[SRE 0 omni rs Tm nat npn ay 32 A
[Lata Tee nese cat cdots Par A= an
CE EB BUR ago a RTS FW ANT TT RC
no “Saas aoc Sings ag on compe Te Um ar REBT aR BOR ST TINGS
Fee sorcery tiger cn ces Lines to Aten umber
*Syaraas. apes str Reeth tes mth ab aught hom OL ard. We
POL ARC Meeting-16/05/23, 15 0f 85
Tab 2.2 Action List
16 of 85
3 eaeay ar Saas aa ies, SERRE Sas TT NT RET RST RT RTS
fs ise ep rtaa ut repring owng (aac
Sica Th ston os Dat renege Cate Mae, aoe cial °
{Spann hora
ae GDR fad OTRO Te OTT BK TN TRC
fei antl me amen ge preeses :
ang pe ceenanseenten sn
Tae] a — iio eal oe ES PT a
© "To RETON: a a a ea TTY “pa OS Oa ary Ha UTED RT war a ON AE a)
fine ae ong animes ie ayorten be rece) an nen ae nae
ros {wtnnne cone papate beget) Tne nhc marl welsh se a Mad Oy
Sanaa} area i ani ARC eign ag Oa] Ta
aE] RON IT SRT PT Ta Sa OT RTC Ra
Rear hesrese Peers or re
7 TRON RR ESAS RR DETTE aE ST FEES SORES RS TSS
(evens bema ose, proposed for donore
HE] eae) 6 Ian eno caret en ara taco na [N ee
se ts echo tog i osc sop enc
POL ARC Meeting-16/05/23,
UKG100044336
UKG100044336
UKG100044336
UKGI00044336
Tab 2.3 Draft Risk and Compliance Committee Minutes (9 May 2023)
@
POST OFFICE LIMITED
MINUTES OF A MEETING OF THE RISK AND COMPLIANCE COMMITTEE OF POST OFFICE
LIMITED HELD ON TUESDAY 9 MAY 2023 AT 10:00 AT FINSBURY DIALS
Present:
Ben Foat (Group General Counsel) Chair in the
absence of Alisdair Cameron
I Attendees:
Liam Carroll (Procurement Director): Item 2 (LC)
Max Jacobi (Finance Director - Commercial) (MJ)
Mark Underwood (LCG Operations Director): Item
2 (MU)
Zdravko Mladenov (Group Chief Digital and
Information Officer) (ZM)
Sarah Koniarski (Senior Assistant Company
Secretary): Item 2 (SK)
Ian Rudkin (Interim Group Reward Director) on
behalf of Jane Davies (Group Chief People Officer)
(IR)
Susan Godfrey ( Senior Procurement Operations
Manager): Item 2 (SG)
David Southall (Head of Contract and
Deployment): Item 3 (DS)
Apologies Matt Taylor (Head of Data Management):
Item 4 (MT)
Alisdair Cameron (Chair) Kayleigh Dodd (Digital/Physical Records Manager):
Item 4 (KD)
Pete Marsh (Retail Operations Director)(PMa) Vishal Thanki (Data Governance Lead Contractor):
Item 4 (VT)
Jane Davies (Group Chief People Officer) (JD)
Tim Bennett (Senior Internal Audit Manager -
Strategy & Transformation): Item 7.3 (TB)
Regular Attendees:
Sarah Gray (Group Legal Director) (SG)
Johann Appel (Director of Internal Audit & Risk)
(JA)
Rebecca Barker (Head of Risk) (RB)
Tom Lee (Group Financial Controller) (TL)
Jonathan Hill (Group Compliance Director) (JH)
Anshu Mathur (Group Assurance Director) (AM)
Marie Molloy (Senior Assistant Company Secretary)
(MM)
1. Welcome and Conflicts of Interest Action
In the absence of Alisdair Cameron, the members nominated Ben Foat to
Chair this RCC meeting only.
The Chair opened the meeting and advised that all papers would be taken
as read. No conflicts of interest were declared.
2. Contract Management Framework (Verbal update)
LC, SK, SG & MU entered the meeting.
LC outlined the increase in non-compliant expenditure and failure to comply
with the Contract Management Framework (CMF) which was making
contract management more difficult. Although the CMF was owned by the
Strictly Confidential Page 1 of 8
POL ARC Meeting-16/05/23
17 of 85
Tab 2.3 Draft Risk and Compliance Committee Minutes (9 May 2023)
UKG100044336
UKG100044336
legal team, it was a devolved operating model, with the business
accountable for ensuring compliance. Web 3 was used to assist contract
management and should flag when contracts were coming to an end.
However, some data on Web 3 had been found to be inaccurate/incomplete.
There was now more awareness of the non-compliance issues and contracts
had been presented to GE and POL Board for retrospective approval.
LC advised that a complete contract audit was an inordinate amount of
work and was not something he was recommending. Consideration was
given to reviewing where total expenditure to the supplier last year was
either £0.5m or £1.0m. Tiering suppliers by strategic importance was
discussed, as was where responsibility for Contract Management sat. The
Chair praised the clarity of LC’s update.
SG recalled papers which proposed solutions had been presented to GE
previously and resource and prioritisation issues were outlined. MU advised
that the CMF had come into force in 2019 and acknowledged that it needed
to be re-visited. The role of contract manager and contract owners and
accountability were considered. Contract owners and contract managers
leaving POL without transferring their responsibilities to a colleague were
highlighted. JA spoke of potential consequences and enforcement for non-
compliance with the framework and that the previous purchase to pay audit
had found Web 3 anomalies and data quality issues with transactions not
following the correct process. JA was planning an internal audit to look at
the process.
The benefits of a decentralised approach to the first line of defence were
outlined by the Chair and AM confirmed that this was a normal approach
adopted by many other organisations, but that it required strong
monitoring from the centre to be effective. ZM discussed GE oversight and
that GE-1 were managing the contracts. The Chair recognised the gap in
assurance that was in an immature state and was just starting to be set up.
AM considered that this was work usually undertaken by functional
compliance and LC outlined resource challenges. SG discussed Web 3 and
the procurement data on the CMF. ACTION: An offline conversation was to
18 of 85
POL ARC Meeting-16/05/23
be held regarding the way forward to assess what the potential problem LC/SG/MU/SK
statement and routes to remediation.
ACTION: The chair requested a noting paper to June RCC/July ARC on the Lc/s6/mu/sk
CMF risk and increase in non-conformance and possible resolutions. The
Chair would highlight the risk to the ARC Chair in the interim.
ACTION: The Chair suggested that the 44 top strategic contracts were
reviewed; the legal team had the list of contracts. Lc/sG/Mu/SK
ACTION: M) suggested that the parties speak to TL’s team in finance on
lessons learned from the balance sheet project that had similar data quality I LC/SG/MU/SK/TL
issues.
The RCC NOTED the Contract Management Framework Verbal update.
LC, SK, SG & MU left the meeting.
a. Postmaster Policies - Contract Performance, Contract Suspension,
Contract Termination and Decision Review Policies
Strictly Confidential Page 2 of 8
Tab 2.3 Draft Risk and Compliance Committee Minutes (9 May 2023)
UKG100044336
UKG100044336
DS entered the meeting.
DS outlined the work undertaken on the annual review. AM confirmed that
the team were currently in the last stage CIJ assurance review of the
Postmaster policies. The RCC determined that it would be preferable to
submit the policies for approval after this assurance, rather than prior. The
Legal team were also due to sign them off. Therefore, submitting the
policies for approval was deferred to June RCC/July ARC.
The RCC NOTED the update on Postmaster Policies - Contract Performance,
Contract Suspension, Contract Termination and Decision Review Policies.
DS left the meeting.
Data Governance Framework Approval
MT, VT and KD entered the meeting.
ZM outlined the work undertaken on the Data Governance Framework
(DGF) which was based on an industry standard framework and customised
for the specifics of POL. In addition, the data maturity framework would
track the progress against the various maturity levels. ISO certification
would be considered in the future. ZM reported that the inaugural Data
Governance Committee was convened on 24" May 2023.
Whilst not a formal policy, ZM confirmed that the Data Governance
Committee decided to request approval of the Data Governance Framework
at the RCC and ARC as it will form the direction of travel in relation to data
governance maturity across POL. The timelines to deliver level 2 maturity
were highlighted by ZM.
The Chair praised the paper and the DGF. The Chair asked about the
progress towards timelines between the present and February 2024. VT
confirmed that the next update would be on the dates and February 2024
was based on the formal approval of funding. JA referred to appendix 1 of
the paper and different aspects of data governance having different
maturity levels. ZM said that as an organisation all areas should be
targeting to be at level 2 and anticipated that some areas would progress
faster than others.
JH considered that consequences should be built in from the start. MT
confirmed that no consequences had been stated. AM considered that
compliance/adherence to control standards should have an input to overall
Senior remuneration. The Chair suggested a compliance objective as part of
the broader cultural progress. MJ had seen this in previous organisations,
linked to progress. ACTION: IR to provide an update to RCC on potential
for a compliance objective.
The meeting discussed that this was a framework rather than a formal
policy. AM considered that the framework had the content to create a
policy. VT outlined polices such as the document retention policy which may
eventually all be brought together under one umbrella. MJ considered how
the framework could be delivered and VT highlighted the work on the
Deputy Data Sponsor on this.
ACTION: The definition of unstructured and structed data was to be
provided as a footnote.
IR
MT/VT
Strictly Confidential
POL ARC Meeting-16/05/23
Page 3 of 8
19 of 85
Tab 2.3 Draft Risk and Compliance Committee Minutes (9 May 2023)
UKG100044336
UKG100044336
ACTION: Risk to be reassessed as the Chair highlighted POL were at risk of I RB/JA
not complying with legal obligations
The RCC APPROVED the Data Governance Framework for onward
submission to the ARC.
MT, VT and KD left the meeting.
5. Integrated Assurance Plan for SPM (Verbal Update)
ZM provided this update.
ZM noted the elements of NBIT assurance that were outside of his scope:
1. Retail Transformation Programme (RTP) encompassing the roll out
and if the training was fit for purpose
2. Operational BAU processes encompassing contractual/legal
readiness.
JA outlined the audit action from April 2022, to establish a second line of
assurance for the NBIT programme. The balance of the request had gone to
the RTP. ZM considered that RTP needed to stand up their own assurance.
Differentiation was made between SPM, RTP and BAU. The Chair
acknowledged the broader assurance and the time frame implications. ZM
would therefore provide an update to ARC on the Technical Assurance plan.
ZM confirmed that Mazars had been engaged in January 2023 as external
advisors and had built upon the work ZM’s team had undertaken. A deep
dive would be provided to June RCC/July ARC.
ACTION: Offline conversation regarding the way forward for Integrated Chair/ZM/JA/AM
Assurance Plan for SPM.
The RCC NOTED the Verbal Update and an update would be provided to
May ARC regarding the Technical Assurance plan. The Integrated Assurance
Plan for SPM would be on the June RCC/July ARC agenda.
6. Fraud Risk (Verbal Update)
JA provided this update.
JA acknowledged there were many preventative and detective controls
across the organisation but these were not centrally assessed. A draft paper
had been produced following the March 2023 RCC. This had received
additional feedback from the financial crime, assurance and compliance
teams which needed to be incorporated. The Fraud Risk paper would
therefore be deferred to June RCC/July ARC.
The RCC NOTED the Fraud Risk verbal update.
7. Risk, Compliance and Audit Update
7.1 Risk Report & Dashboard. Risk Appetite Statements (Commercial)
JA introduced this item.
JA acknowledged that as the top 10 risks did not really change there had
been a difference in approach by undertaking rotational deep dive exercises
Strictly Confidential Page 4 of 8
20 of 85 POL ARC Meeting-16/05/23
Tab 2.3 Draft Risk and Compliance Committee Minutes (9 May 2023)
UKG100044336
UKG100044336
across the business. The appendix contained the top 10 risks outside
appetite and tolerance. Emerging risks would also be called out in the
paper.
JH agreed with the rotational deep dive approach and asked about how to.
manage risk between the deep dive cycles. RB confirmed there was still the
monthly risk dashboard and risk management reports to highlight areas of
concern every quarter so any interim issues would be called out.
JH considered how the business could use risk assessments to highlight
issues before they became so. The Chair noted the centralised risk team
reduction from six to three, meaning that the first line had to step up. AM
proposed that the deep dives followed a cyclical calendar and that the risk
owners should be requested to present their risk profile and residual status.
JA confirmed there was a rotational forward plan.
The Chair observed that the information contained in the paper Executive
Summary may need further escalation and conversation with the
shareholder regarding the risks remaining outside of agreed tolerance
level. Training requirements for the first line with less centralised risk team
members was highlighted. The Chair discussed succession planning in the
context of the people risk appetite statement which RB agreed to reflect.
The Chair referenced the retail risk and acknowledged the emerging risk but
that Postmaster numbers were currently tracking normally. ACTION:
Losses still needed to be resolved and the Chair request a report back to
RCC regarding the investigation process and encompassing CIJ/HIJ
conformance.
The Chair observed that in relation to management of historic data Simon
Recaldin had been named against this but he considered this was broader
than Simon. RB confirmed that the risk title would be reworded and agreed
with Simon and the team as she accepted that the original risk name was
misleading.
The RCC:
« NOTED the status of key intermediate risks and
« APPROVED the proposed appetite & tolerance levels for People risks
for onward submission to ARC.
Mel Park
7.2
Compliance Report
JH highlighted that another discovery of boxes had been made in an old
DMB on a floor not used by the DMB. JH gave consideration to area
managers undertaking checks of areas. The Chair considered the logistics of
instruction sheets/training and timetables. AM considered this from the
aspect of why the boxes had been missed in December 2022 and what
lessons or feedback should be given to the accountable areas. ACTION: JH
to present a report to GE tactical.
JH discussed the increase in FOI requests/DSAR’s and an additional lawyer
had been recruited. JH advised there would be an additional resource
request in the future.
JH reported that HMRC were unlikely to do a supervision visit this year,
thus the Fit & Proper development work was likely to be delayed.
Strictly Confidential
POL ARC Meeting-16/05/23
Page 5 of 8
21 of 85
Tab 2.3 Draft Risk and Compliance Committee Minutes (9 May 2023)
UKG100044336
UKG100044336
22 of 85
POL ARC Meeting-16/05/23
AM highlighted the work undertaken on historical matters. In relation to
CIJ/Postmaster policies, the team were starting to issue preliminary
findings for factual validation.
AM confirmed that Whistleblowing and investigation fieldwork had
commenced the previous week.
ACTION: an offline conversation to be held between the Chair, ZM, JAand I Chair/ZM/JA/AM
AM regarding HIJ Assurance.
The RCC NOTED the Compliance Report and APPROVED the report for
onward submission to the ARC.
7.3 Internal Audit Report
TB entered the meeting.
JA advised that two audits were not completed as they had been delayed
due to challenges in getting information from third parties. Seven audits
had been concluded. Three of these had been rated adverse: legal costs,
Horizon - IT Operations and Service Continuity and SPM - R2 Readiness &
Governance (rated a major delivery risk).
JH asked about any impact on delays to the 2022/23 affecting the 2023/24
plan. JA confirmed that the audit year was May ARC to May ARC and they
were nearly on track as there were two remaining audits to finalise and
2023/24 would not be adversely affected.
ZM acknowledged that the Ransomware audit was not rated but sought the
team’s view. JA referred to the memo regarding the Deloitte findings on
this area, in comparison to 2020 there had been significant improvement.
ZM discussed the SPM R2 Internal Audit findings, acknowledging the further
work required. JA commented positively on the oversight of service delivery
and effective processes in place.
In relation to his SPM management comment, ZM was to give consideration
as to whether he would amend the sentence about engagement with the
audit team.
JA outlined that he had been approached by POI as they had not been
aware that POL Cyber risk was outside of appetite and tolerance and they
were concerned about awareness of POL risk positions that may impact POI
and how they would get visibility of these. MJ considered there was a
continual obligation and this would be addressed in the new Master Services
Agreement. ACTION: Risk reporting and what could be shared with POI
was to discussed offline, with consideration given to any Inquiry related JA
issues.
The RCC NOTED the Internal Audit Report and APPROVED the report for
onward submission to the ARC.
TB left the meeting.
8. Policies for Approval
8.1 Internal Audit Charter
Strictly Confidential Page 6 of 8
Tab 2.3 Draft Risk and Compliance Committee Minutes (9 May 2023)
UKG100044336
UKG100044336
The Internal Audit Charter was APPROVED for onward submission to the
ARC.
8.2
Business Continuity Policy
The Business Continuity Policy was APPROVED for onward submission to
the ARC.
8.3
Speak Up Policy
SG observed that a replacement Whistleblowing Champion needed to be
appointed. ACTION: Whistleblowing Champion needed to be appointed.
SG proposed that Speak up be added as a standing item to the ARC
agenda. ACTION: ARC chair to be consulted regarding adding Speak up as
a standing item on the ARC agenda.
The Speak Up Policy was APPROVED for onward submission to the ARC.
SG
Chair
8.4
Group Legal Policy
SG outlined the Group Legal Policy to assist the business in minimising legal
risk. The policy took into account CIJ and HIJ findings. Engagement with
external firms, via the legal team, was encompassed in the policy and
would control costs.
The Chair congratulated SG on the work done by her and the team and
commented that it was an excellent policy.
The Group Legal Policy was APPROVED for onward submission to the ARC.
Previous Meetings
Minutes (14 March 2023)
The minutes of the Committee meeting held on 10 January 2023 were
APPROVED.
9.2
Action List
Progress on completion of actions as shown on the action log was NOTED.
10
Audit, Risk and Compliance Committee pre-meeting review
10.1
ARC Agenda - 16 May 2023
The Fraud Risk paper and Postmaster Contract Performance, Postmaster
Contract Suspension, Postmaster Contract Termination and Postmaster
Decision Review Policies were deferred to the July ARC, to enable further
work to be undertaken on them and ensure alignment with current
assurance activities.
The Integrated Assurance Plan for SPM Verbal Update would now be a
Technical Assurance Plan for SPM verbal update to 16 May ARC,
The draft ARC agenda for 16 May 2023 was NOTED by the RCC.
10.2
Forward Plan (including RCC only items)
The Committee & ARC forward plan was NOTED by the RCC.
11.
RCC Terms of Reference
Strictly Confidential
POL ARC Meeting-16/05/23
Page 7 of 8
23 of 85
Tab 2.3 Draft Risk and Compliance Committee Minutes (9 May 2023)
UKG100044336
UKG100044336
MM outlined the proposed change in RCC Terms of Reference membership,
that Section E - Composition and Governance, paragraph 7 be amended so
that the Retail Engagement Director is admitted to the Membership of the
RCC, and the role of Retail Operations Director is removed from RCC
Membership. Paragraph 10 was also to be amended to include the Group
Assurance Director as a permanent invitee of the Committee.
The RCC Terms of Reference were APPROVED for onwards submission to
GE.
12. _ I Any other Business
The Chair observed that it would be good to see GE better represented at
RCC.
There being no other business the Chair declared the meeting closed at
12.29.
13. Items for Noting
13.1 I Procurement Governance & Compliance
The Procurement Governance & Compliance Paper was NOTED by the RCC
and APPROVED for onward submission to the ARC.
13.2 I Strategic Partner Risk & Failure Monitoring Paper & Dashboard
The Strategic Partner Risk & Failure Monitoring Paper & Dashboard was
NOTED by the RCC and APPROVED for onward submission to the ARC.
13.3 I Payment Practices Reporting Compliance
The Payment Practices Reporting Compliance Paper was NOTED by the RCC
and APPROVED for onward submission to the ARC.
24 of 85
Strictly Confidential
POL ARC Meeting-16/05/23
Page 8 of 8
UKG100044336
UKGI00044336
Tab 3.1 Risk Report & Dashboard -Risk Appetite Statements (People) -Retail & Franchise Risk & Group Corporate Affairs Risk Deep Dives
Post Office Limited - Document Classification: INTERNAL
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
Title: Risk Update Meeting Date: I 16 May 2023
Rebecca Barker (Head of Risk),
Author: Johann Appel (Director of Internal Sponsor: Alisdair Cameron
Audit & Risk)
Input Sought: Noting/Approval
The committee is requested to:
i. Note the status of key intermediate risks;
ii. Approve the proposed appetite & tolerance levels for People risks.
Executive Summary
We have performed risk deep-dives into Group Retail, Group People and Group Corporate
affairs. This entails an end to end review of a specific risk, focus area or concern. Whilst a
number of risks remain outside of agreed tolerance levels, we will not be escalating any
additional risks to DBT outside of what has already been escalated in December 2022.
There are no emerging risks to note in this reporting period. The with regards to the inability
to identify, investigate and resolve discrepancies in the network has been assessed as being
outside of tolerance. (refer to appendix 1 for more detail).
In addition to the standard report, we have included the proposed People Risk appetite
statements, which we are requesting approval from the ARC.
Report
1. Changes to risk management assurance: Following the implementation of SNOW GRC,
the reorganisation of the Central Risk team is now complete. First line are accountable for
actively managing their risks; the central risk team will support this by;
e Performing a risk deep dive on a 6 month rotational basis across all business units
(refer to appendix 2 for forward plan).
« Providing the Intermediate risk dashboard to GE members every other month
ensuring key risks are accurately reported.
« Providing a risk data quality dashboard to GE members and their teams on a quarterly
basis to highlight areas of risk which are not being managed as per the Group Risk
Management policy.
2. Deep Dives: A risk assessment deep-dive will help target and improve specific areas of
risk. We will focus on areas of key risk. During this reporting period we completed the deep-
dives for Group Retail, Group People and Group Corporate Affairs. Apart from the deep-
dives, we will continue to report on key intermediate risks and progress with risk responses
(see appendix 1). For transparency, all intermediate risks have been included within the
reading room.
Confidential
POL ARC Meeting-16/05/23
25 of 85
UKGI00044336
UKGI00044336
Tab 3.1 Risk Report & Dashboard -Risk Appetite Statements (People) Retail & Franchise Risk & Group Corporate Affairs Risk Deep Dives
Risk Deep Dives
3. Group People: Staff changes within Group People have prevented a full review of risks -
26 of 85
we are working with the team and will perform the full risk review in readiness for the
September RCC/ARC. As part of our commitment to improve risk management across the
business, the Central Risk team have proposed a set of revised people risk appetite
statements. These statements have been reviewed and agreed Jane Davies and her team.
The proposed statements are detailed within this report in appendix 3. We are seeking
approval from the committee for onward submission to ARC.
Recommendations: Currently there is a high number of Intermediate risks, 18 in total and
it is unclear which of these risks are key and would therefore require visibility at the
RCC/ARC - Central Risk are working with the team to review all risks with a view to clarify
and consolidate.
. Group Retail: Intermediate risks have all been reviewed with the senior leadership team
to ensure the correct accountability to take appropriate decisions about risk remediation.
Whilst a number of risks are currently being reported as outside of tolerance, remediation
plans are being developed. Themes identified during this deep dive are:
e Capacity to absorb and support delivery of change driven by key programs, if change
is not planned and aligned correctly. Capacity in branches, contact centres and field
teams will not be prepared to support and land the high level of change. The Retail
team are launching several activities across the business to remediate this risk such as
the Introduction of Air Traffic Control to manage workload and change, quarterly
updates at a senior level to ensure changes and activities are agreed, projects or activity
will require a fit to land status otherwise it doesn’t go to market.
* Postmaster losses increasing every month, remediation plans to be agreed.
e High number of local risks (117) which appear to include a level of duplication and are
currently not aligned to Intermediate risks — this require further review and we expect
to reduce the number of local risks by around 50% following the review.
Recommendation: Whilst the business is responsible for planning and delivering change,
it is evident that poor engagement from the branch network could result in increased poor
delivery. For example, the “copper stop sell” programme have identified a low response rate
from the branches to support activity that is required in branch to switch from copper
connections - recent figures show an 80% failure rate of branches responding to the work
required in branch to complete copper stop sell activity. We recommend that a risk
assessment should be carried out to understand the impact of low engagement levels from
branches on key programmes which are reliant on branches working with the business to
deliver to plan. We will work with the team to support this assessment.
. Group Corporate Affairs: Intermediate risks have been reviewed with the senior
leadership team. One of the key risks for Post Office in relation to the Horizon Scandal is
media spotlight resulting from the public Inquiry. Whilst the main risk relates to consumer
impact, there are other potential impacts such as corporate brand reputation, which could
impact our ability to work with preferred suppliers, challenges with colleague recruitment,
increased levels of dissatisfaction with existing postmasters and an impact on recruiting new
postmasters. The brands team collects data to measure the possible impact on our brand,
which gives us insights into the following areas:
¢ Brand metrics associated with Industrial Action have stabilised.
Confidential
POL ARC Meeting-16/05/23
UKG100044336
UKG100044336
Tab 3.1 Risk Report & Dashboard -Risk Appetite Statements (People) Retail & Franchise Risk & Group Corporate Affairs Risk Deep Dives
Post Office Limited - Document Classification: INTERNAL 9
« Levels of spontaneous and prompted awareness of the Horizon Scandal are steadily
reducing and are at levels seen in the last half of 2021.
« Agreement of “treats postmaster fairly” is slowly rising and “trustworthy brand” is
more positive, but still below levels of last summer.
* Positive mentions increased further in March.
Whilst brands data suggests that we are ‘weathering the storm’ somewhat, there are a
series of upcoming events that may heighten public awareness:
« The ITV drama "People vs Post Office" is planned to air in Q1 2024.
e ITV has also announced a documentary to accompany the drama series, called
"People vs Post Office: The Real Story."
* The public inquiry will report its findings sometime in the next 12-18 months, with
an expected increase in media attention during that time.
Recommendations: Whilst the Intermediate risks have been confirmed this requires
updating within SNOW GRC. We will support the team to ensure all risks are updated
correctly.
Update on other areas
6. Group Technology: Intermediate risks for NBIT, Fujitsu contract extension and Fujitsu
end-of-life have been discussed with the risk owners and included within appendix 1.
Following the reformation of the NBIT programme into 2 channels, SMP and RTP, the
technology risk has been revised to reflect the delivery of the technology solution by March
2024. Discussions with regards to RTP risk will take place following the board meeting on
the 8*" of June when the NBIT plan is approved.
7. There is no change to the Cyber Security risk posture, for awareness key remediations are:
« Ransomware report is now complete and initiatives are being planned and prioritised.
« Ransomware playbooks being finalised prior to holding a training session with GE
stakeholders - before end of Q2.
e Lessons learnt from RMG ransomware incident to be presented to ARC - before end of
Q2.
8. Group General Counsel: Central Risk have worked together with the Legal team and all
assessments are now complete on SNOW GRC for intermediate risks. A local risk review is
in progress with the financial crime team to remove any duplications of risk and controls.
HMU risks that were previously reported to the RCC/ARC in January are now tracked in
SNOW GRC.
Next Steps & Timelines
9. “Deep Dive” risk review with Group Technology, Group Finance and Group Strategy &
Transformation to be presented at the ARC.
Confidential
POL ARC Meeting-16/05/23 27 of 85
UKG100044336
UKGI00044336
Tab 3.1 Risk Report & Dashboard -Risk Appetite Statements (People) -Retail & Franchise Risk & Group Corporate Affairs Risk Deep Dives
Post Office Limited - Document Classification: INTERNAL
Appendix i - Top 10 risks for May outside of appetite
- Enterprise Risk: RAG status relates to the High, Medium or Low scoring Enterprise risk - the score is assessed
using the roll-up of Intermediate risks.
- 8 of the 10 risks reported this period are outside of tolerance and reporting red - this may appear alarming,
however, it should be noted that the risks remain stable and the underlying cause around remediation remains
reliant on funding and delivery of key programme activity in progress. We have not identified any risk that
require escalation to DBT unless the committees advise otherwise.
Inability to ebuild trust with postmasters ‘stable I Nomovement tothe riskposture ase
J 5:3) acy marsha aKo021816 ‘MITIGATION Aailesie
+ We haw just concluded the annua postmaster research survey using an independent agency, Ain
‘Quadrangle, The results will help ust prioritise postmaster activityand focuson areas where we I TEES es
need to support them more ee
“+ Over the last two years we have been makingimprovements to the support we provide to
+ Allareas of Postmaster support are curentiy being reviewed as pat of our preparation for the
inquiry and evidence giving in phases 6.7 identifying improvements to date, gapsand future
actions to further imorove, These will be validated by the Improverent Delivery Group, chaired by
NickRead.
[REVIEW DATE
Inability to provide a resilient Supplychain operation I Reduced I Risk has reduced, likelihood reduced from 3 to2
(4:2) Ase HancoeleRKOO21239. mmigation
+ Contingency plans are in place (manual work around —although we can deliver far less manually
so not withovt impact)
4+ We now have external enntracts in place with third parties to pravide contingent support
+ Highspeed note counter is delivered — making eash centres far more resilient
PDA reolacement programme is underway ~ these will be rlied out ths year (project isin build
hase)
‘REVIEW OATE
= November 2023
Speier) Tnability to identiy, vestigate and resolve New ‘New risk. rulmitigationto be planned ith timelines and agreed target dates.
: discrepancies inthe network, mimican
(4:5) Me! ParkRKo021792 inital it
+ Timely SLA ceview with insights and action where required
a November 2023,
ae aie Inability to improve Branch Promtabiity ‘stable I Nomovement to he risk posture. NSA progrars 10 be Submited to IADG Tor unding
I (3) martinedwards nkoozt79 mmigarion
+ Prioritise eemuneration increases as part of overall budgeting process ~ ensuring the share of POL
income going to postmasters isa least maintained if not grown fwhich in turn is dependent on
controlof POL cost)
+ Protect investment in automation ea. nent generation self service kiosks) inorder to mitigate
fein abou ents in ur 2 argest branches
‘+ Continue the data-driven approach fo tea Manager interventions with postmasters, building on
the 04 22/23 3ranch MOTs, enabiing value-adding cowersations around how branches can reduce
costs and gow sates.
+ Reshape the networkin tine with ou target blueprint to shit towards more sustainable branches,
supported by te investment inthe ‘Network Strategy Acceleration’ programme
REVIEW OATE
November 2023
Lack of puoictrust due to historical issues + Appetite to be agreed
(4:3) Simonstarsnall RKO021078 + Rémalidrop in brand trust has been identified ave the ast 12 months usualy following specific
fevent eg Pubic inquiry, media coverage, Panaroma we usualy see arecoveryinsubnequent,
months ver 60-90day period
+ Crentiy no evidence af adverse Impact rom a trading perspective.
migarion.
+ Continue te closely monitor using our monthly brand racking mechanism to identify any coatinual
decline that could be a result of GLO.
Stable I Nemovement. key actions which have been adr ona emo I
CONFIDENTIAL i
CONFIDENTIAL
ONFIDENTIAL
REVIEW DATE,
September 2023
: CONFIDENTIAL
ONFIDENTIAL
Confidential
28 of 85 POL ARC Meeting-16/05/23
UKG100044336
UKGI00044336
Tab 3.1 Risk Report & Dashboard -Risk Appetite Statements (People) -Retail & Franchise Risk & Group Corporate Affairs Risk Deep Dives
Post Office Limited - Document Classification: INTERNAL
Inablity to deliver the technology soltion to enabie
NAT rolloutto beginin Apri 2024
(6:3) Gareth clark aKo021078
"Na movement to the rk posture a this anew rst split the riks for NAIT SPM and NAVT RTP
+ The Teemnology tears behind NAT willconduct are baelining effort to eset the April 2024
timetabe
+ Foliowingthat ese, the Technology team will teport progress against the lan to RTP on a regular
basis inorder to prove maximums ear wsibilly of stppage.
+ When avaiable key delivery dates ofthe tech solution (SPA) willbe detaied 3s pact of the
mitigation.
REVIEW DATE
uly 2023
(inabilty to extend Fujtsu contract) Significant financial
risks f ext of the Horizon agreement is not adequately
managed
(624) Simon Otdnal 0023031
‘No movement to he rk porture Site
Data Centre Operations and Core network services extended to March'?4 viaa contract ie =
‘modifcaion. The overal services agreement completion date remains March 25. abe
REVIEW DATE
July 2023,
Eines I Fr ot ite teemnningy — Futon
4) (6:3) simon Oidnal #0020077
No mewement tn the rk pashie. The ask ram are provicing hither asuranre of chieinratrices [aM
1weensure remediation pans ae underway tobe addressed ether by datacentre fortifcation, SPM orf Bata
require funding to address more urgenty fae
‘MITIGATION aa
+ Bellas Fortification project being mobilised, this project wil focusn critical items that are LOSL
andrequite mtigation/spend. Refresh Programme 3 also known as Datacentre Fortification) now
Scoped and funded for allitems assessed a critica or service continuity. Detailed programe pan
to bebaselined by 19/5/23,
+ Ongoing review of EOS restr to determine approach ona component by component bass
boeing managed via Horizon avcritecture & Security teams (saly Rust & Dean Bessel)
+ Discussions around approach to Orace support & potential upgvade ongoing and willbe presented
10 POL Soard in une
Review DATE
uly 2023
Appendix 2 - Forward plan for Risk Deep Dives
Group Commerciat ‘Owen Woodley “Audrey Cabitt Marte
Sept
— ee March 24 :
Group General Counsel (including Ben Foat, Audrey Cahitt March
historical matters) jept
March 24
Group Corporate affairs Richard Taylor Audrey Cahill : May
November
Group People Jane Davies Audrey Cahilt May (appetite)
September
March.
Group Finance Al Cameron Rebecca Barker July
Group Technology Zdravko Miadenov Rebecca Barker July
January 24
Group Retail & Franchise Martin Roberts Rebecca Barker May
Group Strategy & Transformation Tim Mclnnes. Rebecca Barker
july
January 24
Appendix 3 - People Risk Appetite Statements
People Appetite statements are submitted for onward approval to the ARC.
Lack of a High Performing
Leadership Team
Sub Optimal Busingas Culture
Lack of Vsibity of Talent,
Inadequate Succession &
Davelgpment Planning
Inadequate HR processee
Inedequate Reward & Recognition
Schemes inl aystems&
Confidential
We have an Averse risk appetite to naka that arse from a lack of performanceleadersnip. 1s e10
ccountabilly and directon . We therefore mould be extremely reluctant te eecept naka
ateriaising if this meant the achievement of (some) strategk objectives would be
compromised.
We have an Averse risk appette to risks that ane for unethical betiaviour, prejuciciaI
{reaiment of diferent categories of peaple and our failure to proactively and effectively
manage our Unions. Employees ang Pestmaster -elations We will avoie nearly all risks where.
at all possible.
We have a Geutious appeute te riche thet arise for our fallure to Klentity hey person
ependency and implement effective succession plenning to attract. retain and engage new
and eristing collaagues. Our failure to address noer performance conduct and cultural
Behaviour. This means thet we would be somewhat reluctant (a accept rake materialising and
the possibilty and extent of the falure is limited
We have a Cautious appetite to risks that arise where Post Office fails to efficiently and
effectively onboard new employees. ransfer from one business or location or ane position 20,
Snother and fais ta process kavers ina tmely manner. Our fallure te drive consequential
action and! lack of agility with processes resuiting in inconsistent application. We will accept
ome risks materialsing bu! nly! aciwity gWving "ie 10 the risk Was Unknown and extent oF
‘the failure is limited
We have a Cautious appetite to reks that aries from Post Office falling 1o provide reware
Denes and incentve payments ig emplovess hat alan with emplovee expectationsane ine
market environment. This means what we would be somewhat relctanete secept
hiateria sing and the possibly and exaent of the fellure is Intec.
POL ARC Meeting-16/05/23
ais
1915
sa8
29 of 85
UKG100044336
UKG100044336
Tab 3.2 Group Compliance Update
POST OFFICE LIMITED
AUDIT, RISK AND COMPLIANCE COMMITTEE REPORT
I Title: Group Compliance Update Meating Date: 16" May 2023
I Author: Jonathan Hill, Compliance Director Sponsor: Ben Foat, Group General Counsel
Input Sought: Noting
The Committee is asked to:
Note the Group Compliance update. In summary, hard copy data management and control remains a
significant risk but this has been recognised and plans are being developed to create an effective
governance framework. which is due to be presented by the Data Management team at this RCC
Following delivery of some tactical fixes and analysis of the remaining issues, a new prove case to
identify the right solution to the ongoing HMRC Fit & Proper reporting issues is being progressed. We
are working with the banking team and banks to understand the impacts of the introduction of banks’
AML controls for banking cash deposits and during the remainder of H1 will assess the capability of
Post Office detection controls to identify potential improvements.
On the assurance of historical matters: Good progress continues across all areas; the ClJ assurance
fieldwork has now been completed with the HIJ assurance fieldwork completion quickly following.
Please note the reading room contains details on — supply chain compliance, gifts & hospitality
reporting, mails compliance, suspicious activity and investigations, data protection, FOIRs and horizon
scanning.
POL Compliance Status/Overview
“Please note Group Compliance does not oversee all areas of the business.
1. The areas in which we continue to identify potential and emerging risks are:
a. Data Protection / Information Rights
The Hard Copy Audit
The management and control over hard copy data continues to remain a significant risk.
Compliance’s Data Protection Team continues to work with and support the Hard Copy audit team
across the project.
To date, from the hard copy assurance exercise, POL has harvested over 87,000 hard copy
documents, it has reviewed over 25,000 documents in Relativity against existing Rule 9 Requests
and produced 912 documents responsive to Rule 9 Requests, and 12 additional documents of
interest. Assessment against the hard copy data will continue for all phases of the Inquiry and all
Historic Matter programmes.
As the project moves towards conclusion the following ongoing activities will be completed
« Complete the review of data for any training or operational manuals to ensure an as full library of
manuals are available to the Inquiry teams
CONFIDENTIAL
Extraction of a sample electronic data (CDs/USBs) has started with initial work to be completed by
12.05.
The Hard Copy Index
CONFIDENTIAL Page 1 of 7
30 of 85 POL ARC Meeting-16/05/23
Tab 3.
UKGI00044336
UKGI00044336
2 Group Compliance Update
It was previously reported that there were concerns regarding the accuracy of Q&A ran by Oasis of
the indexing programme} CONFIDENTIAL
CONFIDENTIAL
ONFIDENTIAL
IFIDE!
(ONSEN Te response from stakeholders, in varleular HSF/Inquiry, will drive timelines &
budget requests with further discussions with HSF before being brought back to the POL team for
decision on how to proceed. The dates for this will depend on the level of escalation and decision
on next steps within POL.
FOIA /DSAR
There has been a significant month-on-month increase in volume of FOI and DSAR requests. It is
evident from the nature of the requests that these increases are being driven by the Inquiry and
Compensation Schemes. These rises were anticipated, and the team has been resourced
accordingly. However, as the trend continues to rise an additional lawyer is being recruited into the
team.
GLO Scheme
The Information Rights team is supporting colleagues in HM and will be conducting a second line
review on disclosures being made to DBT and external law firms. To assist this work the team has
approval from the HM Resources forum to recruit 4 FTE.
There is an increasing risk that the external law firms acting on behalf of clients are considering
submitting bulk DSARs. We are working on a contingency plan and are in discussions with DBT to
put in place a disclosure plan that meets the needs of the claimants. However, should this risk
materialise into an issue then this will have severe resourcing issues for POL.
Financial Crime/AML/ABC
A Fit and Proper Remediation Prove Case asking for funds to investigate the options for solving the
various problems with F&P reporting has been raised by Commercial and is going through the
approval process, albeit there are challenges with funding this work within a specific business line.
The monthly reporting continues to be collated manually. A further update on next steps, timelines
and residual risk will be provided at the June RCC.
HMRC have advised they are unlikely to undertake a supervisory visit this year, due to resource
issues to facilitate branch visits, but they expect to do this early next year. They will undertake a
focussed deep dive of transaction monitoring and SAR investigations, albeit any recommendations
will be issued as supportive guidance/best practice and not under the regulatory penalty framework.
HMRC is still finalising the process to collect the Economic Crime Levy, but we anticipate POL will fall
into the ‘Very Large’ band and therefore the levy will be £250k, although this is not yet clear.
Each regulated entity has to pay, therefore POMS, which is FCA regulated will also need to pay the
levy as they are a separate entity, although it is likely that POMS revenue will fall into the lower band
for which the levy is £36k.
Re-assessment of Banking Cash Deposits has been completed, with no significant changes or
findings. Implementation of the banking deposit limits imposed by the FCA remain in their infancy and
we are not yet able to determine their impact. Unfortunately, the limits will restrict our ability to detect
unusual and suspicious activity at Post Office counters, as smaller transactions are harder to identify
as suspicious. Work will be undertaken to assess the capability of Post Office detection controls and
identify potential improvements during the remainder of H1.
CONFIDENTIAL
POL ARC Meeting-16/05/23
31 of 85
UKG100044336
UKG100044336
Tab 3.2 Group Compliance Update
@
Gift and Hospitality submissions increased by 34% in the past 12 months and we continue to see
instances of late reporting or failing to obtain approval before accepting offers. Non-conformances
are escalated and a communication to the business highlighting expected standards of reporting and
the importance of adhering to policy was sent in April.
The Economic Crime Plan 2 (ECP2) was launched by the Home Secretary on 30.03.2023, following
the Economic Crime (Transparency and Enforcement) Actin March 2022, and sets out what the public
and private sectors should do to crack down on kleptocrats, money laundering, sanctions busting,
and fraud and the potential impacts for Post Office are currently being evaluated.
c. Financial Services
Mystery shopping is showing a gradual improvement. In Q4 20.7% have been graded Red. This has
reduced from 29.6% in Q3 and 34.9% in Q2. Travel Insurance has caused the most concern with
31.6% being graded Red in Q4. However, this shows a reduction on Q3 where 43.4% were graded
Red. A simplified Travel Insurance journey was introduced on 07.3.23. Mystery shopping will
commence to test the new journey in April, and we expect results in this area to improve.
Red graded shops for Savings in Q4 are 13.6% and Over 50’s 20%.
d. Mandatory Compliance Completion Rates at 02.05.2023
The following business functions are currently below target for completion of mandatory compliance
modules against the agreed KPI of 95%.
CEO's office — 8
Technology — 6
Enterprise — 2
People - 3
Strategy & Transformation — 4
4 out of 10 areas have not achieved 95% for GLO training which closed on 10.04.23. This data does
not include H&S Essential training, which is live and ends on 12" May 2023.
e. ‘Historical Matters’*- Assurance
In the period since the last ARC in March 2023:
e Stamp Stock Scheme (SSS) — The final report has been issued to the HM Governance team. As
previously mentioned all preliminary findings have been adequately addressed resulting in good
levels of compliance.
e ClJ Assurance — Initial fieldwork stages on ClJ is now complete and preliminary findings are being
discussed with stakeholders, during May 2023, to assess factual efficacy and confirm if further
supportive evidence is available. The next stage will involve issuing of final recommendations
and commencement of continuous assurance.
e HlJ Assurance — We have progressed fieldwork to a stage where preliminary observations will
be shared with Technology in May 2023.
e Inquiry and HSS Assurance reviews have also commenced focussing on assessing adequacy of
processes and procedures (Rule 9, 218 readiness, witness prep, disclosures/application of
shortfall schemes etc).
e Tech Change fieldwork is now in the final stages of completion and a final report should be issued
end of May 2023.
e Whistleblowing/Speak Up Assurance programme -— This is now in fieldwork stage and sample of
cases are being reviewed to assess adherence to processes and procedures. Targeting
completing these reviews in May/June 2023.
CONFIDENTIAL
32 of 85 POL ARC Meeting-16/05/23
UKG100044336
UKG100044336
Tab 3.2 Group Compliance Update
@
e Postmaster Policy reviews — All 12 PM policies are now in draft reporting stage and will be shared
with the business after these have been alignment with ClJ assurance work. Targeting to share
with the business in May 2023.
Please refer to Appendix 2 for the detailed breakdown on the ‘Historical Matters’* - Assurance
workstreams.
‘as previously presented to RCC/GE and ARC ‘Historical Matters’ - Assurance covers Schemes, !DG (HWJ/CIJ), Inquiry, Control
Framework.
4
CONFIDENTIAL
POL ARC Meeting-16/05/23 33 of 85
UKGI00044336
UKGI00044336
‘Tab 3.2 Group Compliance Update
Appendix 1 - Status of Group Compliance Activities
The table below provides a status of 2022/23 Group Compliance Activities:
‘Activity 2022/23 Status of Current ‘Comments
Group Compliance Activit Group I Assurance
Compliance I Results
‘Activities
5 policy reviews are due between
Group Policy Assurance Se eet tos PAUSED Pause I Group policies annual renewal cycles being met in majority of cases.
Review al 12 PM Polces by 31 ‘AI-T2 Postmaster polcies are now in daft reporing stages. Improvements are needed on
Postmaster Policy Assurance I Hareh'7023 fa > I oversight and governance, control standards and consistent policy adherence.
YTD (Apr-Mar) 544 Branches have been graded Red 31% - breakdown by product is,
‘Travel Insurance 46.7%, Savings 18.2%, Over 50's 17.7%. An improvement has been
seen in Q4 where overail 20.7% have been graded Red.
FS Mystery Shopoin 1200 shops per month are planned 7 @ _I Travel Insurance i causing he most concem. The branch sales joumeay wae simplified
FS Mystery Shopping for the rest of 22/23 (excl. Dec) . on 7 March 2023. Travel Insurance mystery shopping was paused in March to allow the
new process to bed in. This will resume in April where we should realise an improvement
in this area and therefore overall mystery shopping results
POL management and control over hard copy data continues to remain a significant risk
Data Protection and Accountabiliy Framework planned : and an exposure (fom an Inquiry and GDPR perspective)
Information Riahis actions for 2022. $ e
Travel Money, Credit Card and In-Branch Verifications remain outstanding from the G4
22123 assessment schedule but will be complete by the end of April 23. The risk
2 dak assessments compciog: 3 m I assessment schedule for 23/24 has been agreed and issued to key stakeholders. Key
Financial Crime AMLICTF, ABC & FC policies and & Fit & Proper agent data and current manual workarounds and occasional instances of G&H
Significant progress has been made in all areas parlicularly CW, Stamps Stock, HSS,
‘Tech Change, Speak Up and Investigations. In addition we are targeting to commence
continuous assurance on ClJ in June/July
Historical Matters Assurance I Please refer to Appendix 2. é
CONFIDENTIAL Page 5 of 7
34 of 85 POL ARC Meeting-16/05/23,
UKG100044336
UKG100044336
‘Tab 3.2 Group Compliance Update
‘“Rppercix 2— Assurarice status at TO May Oz
Area Comments
Assurance activity is on hold whilst the Inquiry team reassess their data and documentation.
z
1-Not 3- Awaitin 4 %
Leceaberratet Started olew Further Eviaence CompieteI 4! Icompiete
Disclosure and Data_I 0 0 79 0 73 0
Inquiry Enquiry 218
Readiness 0 ° 8 0 8 0
Responsibiliy Tracker I _0 0 30 0 30 0
Witness Preparation I 0 0 10 0 70 0
Grand Total 0 0 o7 0 o7 0
‘One of the assurance team has moved back to the Inquiry team to support them with identifying the key documents to enable
us to complete this review. We will re-assess the status 18" May.
Shortfall I Due to prioritising ClJ completion, the timelines for completing additional claims, final assessment adherence to processes
Scheme ___I and procedures have been moved back to wic 15 May.
‘Stamp ‘
same Final report issued.
CWT] CUZ] C3] CU4] CNS] CUS] CNT] Cus] CS] Total
I lines
Sustainable I Total lines 54 I 67 I 36 I 62 I 32 I 44 I a7 I 24 I 29 I 365
Fixes Cld I Current Status
I © First stage of fieldwork is completed for all areas and is now subject to stakeholder discussions and factual efficacy.
6
CONFIDENTIAL
POL ARC Meeting-16/05/23, 35 of 85
UKG100044336
UKG100044336
Tab 3.2 Group Compliance Update
72
Area May Comments
2023
porumaster + Draft Postmaster Policy reports will be issued for discussion and validation on 18” May 2023.
‘Action being progressed by Tech to complete this area are:
* Risk and Controls status report to assess efficacy
CF- Tech Change * Lead and Lag KPI's
+ To confirm next steps on Assurance Structure (TOM)
« Final Report to be submitted to RCC, outlining what has been done at a high level regarding Tech Change.
CF - Investigations * Fieldwork has now commenced.
CF- Speak Up * Fieldwork has now commenced,
(Whistleblowing)
Not
OHC/ PM Detriment I Starte I « Assurance activity will commence in June and July.
d
CONFIDENTIAL
36 of 85 POL ARC Meeting-16/05/23,
UKG100044336
UKG100044336
Tab 3.3 Internal Audit Report
POST OFFICE LIMITED
AUDIT, RISK AND COMPLIANCE COMMITTEE REPORT
Title: Internal Audit Report Meeting Date: I 16” May 2023
Johann Appel - Head of Internal
Audit & Risk Management
Author: Sponsor: Al Cameron - CFO
Input Sought: Noting
The Committee is asked to:
i. Note the progress being made with delivery of the internal audit programme and
completion of audit actions.
Executive Summary
This paper provides an update on the progress of the 2022/23 internal audit programme and
completion of audit actions.
Report
Progress against plan for 2022/23
1. Weare still finalising the 2022/23 programme, which has experienced delays due to contract
negotiations with Deloitte taking longer than anticipated and due to long term staff sickness.
2. Seven POL audits and 1 POI audit were completed in the current reporting cycle. The final
2 audits are being delayed due to challenges in getting information from third parties.
3. The current status of the 2022/23 plan is as follows:
POL Internal Audit Plan 22/23 POI Internal Audit Plan 22/23
Status: Total Audits = 30” Status: Total Audits = 6 ©
(Target number of reviews based on revised plan for 2022/23 approved by ARC was 30 (20 Internal control reviews & 10 change assurance reviews,
revised to 22 internal control reviews and 8 change assurance reviews at Sept ARC). Details of the audit plan are in the reading room (Appendix 1).
®)PO1 ARC approved baseline plan for 2022/23.
= Completed ® Reporting
Fieldwork Cancelled / Postponed
Confidential
POL ARC Meeting-16/05/23 37 of 85
UKG100044336
UKGI00044336
Tab 3.3 Internal Audit Report
4. The following audits are significantly delayed due to a lack of support and engagement
from 3" parties:
e Horizon Privileged Access Management (PAM) & Transactional Integrity (TI) - This
review is taking longer due to delays in getting information from, and access to, Fujitsu.
e Third Party Data Validation - It took longer than expected to obtain revenue data from
Vocalink (for ATM revenue) and Neilson Financial Services (for life insurance revenue).
These issues have been resolved and we are now in a position to complete the audit
testing.
Internal Audit reviews completed
5. The following audits have been completed since the March ARC meeting:
ATM LINK Scheme Membership Attestation aa
Ransomware Advisory Review (Not rated)
Legal Costs
Branch Cash Forecasting
Horizon - IT Operations and Service Continuity
ESG Reporting
Nialulalwlrnie
SPM R2 Readiness & Governance
6. Our findings and observations from these reports are summarised below, with the full
reports available in the reading room (appendices 2-8).
7. ATM LINK Scheme Membership Attestation (Ref.2022/23-29)
eae Audit actions: Sponsor: Owen Woodley
> ee Reading Room attachment 2
P3 1
Total 1
Satisfactory
As a condition of continued membership of the LINK Scheme, POL must complete an annual statement
to confirm that risks generated by POL’s ATM activities are adequately controlled.
The Member Assurance Statement has been reviewed and signed by Internal Audit to assert that
reasonable reliance can be placed on the information provided by management to LINK.
We concluded that the ATM team have continued to enhance its approach to completing the Assurance
Statement and have implemented recommendations made in the last IA review. We noted that the
statement contained good levels of narrative and was supported by appropriate documentation. Our
review provided reasonable assurance that the Member Assurance Statement is reliable, the LINK
requirements are understood, met and supported by appropriate evidence, and that any weaknesses,
non-compliances or other relevant findings have been declared.
Management Comment provided by Wendy Luczywo, Head of Automated Banking
“The LINK annual attestation is a rigorous process, and this is our first full year submission since we became a
member of the Scheme. To receive a satisfactory audit with no findings is testament to the excellent work
undertaken by the ATM team with support from Audit and demonstrates that we have rigorous processes and
controls in place that are constantly reviewed throughout the compliance year to ensure that we and our
service partners deliver ATM services to the standards set by LINK.”
Confidential
38 of 85 POL ARC Meeting-16/05/23
UKG100044336
UKG100044336
Tab 3.3 Internal Audit Report
ware Advisory Review (Ref.2022/23-26)
8. Ransom
Not Rated Audit actions: Sponsor: Zdravko Mladenov
ee ea Reading Room attachment 3a&b
P3 =
Total 1
Deloitte have performed a gap analysis of Post Office Ransomware controls; comparing the current
business readiness state against a previous assessment completed by them in 2020. This follows
on from previous Deloitte work in 2020 and Internal Audit’s review of Cyber Resilience (Phishing &
Ransomware) which was finalised in January 2022.
Deloitte concluded that Post Office has made progress in improving the security of devices
via:
« Aroll-out of improved anti-virus software.
¢ Beginning the rollout of MFA (Multi Factor Authentication).
« The ongoing migrating to Windows 10, with its more modern design and inherent security.
However, they identified the following key risks:
« Lack of consistency across third party technology suppliers, in both contract and compliance
monitoring, means that POL does not have a consistent view of how security and disaster
recovery is being managed by these providers. There is a risk they may not be able to support
in rapidly recovering from a ransomware attack.
« Vulnerability management tooling is not fit for purpose, with some tools past end of life.
There are no tools in place for Windows 10 and Azure environments. As a result,
vulnerabilities may go undetected by POL and be exploited by would be ransomware
attackers.
« Without a consistent layered controls methodology, it is possible that there are gaps in
controls coverage. As a result, current controls could be fully effective but still leave attack
vectors open that could be used to launch a successful ransomware attack.
« Testing of backups is inconsistent, it is unknown if recovery from backups would be successful
in the event of a ransomware attack.
The full Deloitte report provides detailed findings and readiness assessments and is included in the
RCC and ARC Reading Room. This review was advisory in nature and is therefore unrated.
Management Comment provided by Dean Bessell, CISO
“Cyber-attacks have been carried out against Post Office Insurance, FRES, WH Smith and Royal Mail which is
a cause for concern and as a result of this, the likelihood of a ransomware attack impacting Post Office has
increased from possible to likely. The risk is likely to materialise if events follow normal patterns and mitigating
action is not taken.
Requests for further funding are being prepared and will be required to address key priorities in order to bring
this risk within both appetite and tolerance. This doesn’t mean that the current cyber defences are ineffective,
but we don't believe it is sufficiently robust for the increase cyber threat Post Office is facing.
We continue to support the need to balance FY23/24 budget with improvements being funded on an ad-hoc
basis and/or expected to be completed by the BAU team.”
Confidential
POL ARC Meeting-16/05/23 39 of 85
UKGI00044336
UKGI00044336
Tab 3.3 Internal Audit Report
40 of 85
9. Legal Costs (Ref.2022/23-05)
Audit actions: Sponsor: Ben Foat
ic Reading Room attachment 4
P2 3
P3 =
Needs Significant improvement Total 6
POL maintains an in-house legal function to provide legal, regulatory and governance advice and
services across the business. External lawyers are engaged by the Legal Team and others in
circumstances where the demand for services cannot be met by internal resource. For example, to
provide subject matter expertise or to support major projects, most significantly the Horizon Inquiry
and the HSS. The amount spent on external legal support has increased exponentially since the GLO
judgments were handed down, thereby increasing the risks in this area.
This review has assessed the governance and oversight arrangements, and operational controls
over external legal spend across POL (BAU, HMU and Inquiry).
Whilst the processes and controls over BAU and HMU in relation to Legal Costs were
broadly effective and well managed, it was around the legal spend for the Inquiry and
HSS that most issues were raised. The main Inquiry legal firm, Herbert, Smith Freehills (HSF),
were directly appointed to represent POL at the GLO (in June 2019) and have remained as POL’s
legal representatives to the Inquiry since then. Whilst there is signed documentation appointing
them to the GLO work, no such documentation was provided to cover their work on the Inquiry. The
lack of a formal contract has led to the majority of the complications observed at this audit,
particularly regarding the management of expenditure, which for 2022/23 averaged £2m per month.
Delays in the submission of invoices by HSF, and their level of complexity have led to further issues
around the validation of spend prior to signing off for payment. A formal project to reduce external
legal spend has delivered a compliant process to appoint a new firm to take over the Inquiry work.
This work was in the negotiation phase at the time of this report. The new Finance Director has
made proactive efforts to increase financial control since his appointment partway through this audit.
Management Comment provided by Ben Foat, Group General Counsel
“I would like to thank the Internal Audit team for their review. Whilst it was encouraging to see that the controls
across BAU and HMU (other than HSS) were broadly effective and well managed, we must do better with the
Inquiry and HSS forecasting and monitoring of legal cost controls.
The last 18 months has been a challenging time for the Inquiry team with many changes in terms of the scope
of the Inquiry and people changes. This has made it difficult to accurately forecast in many areas because
especially as the landscape within which the Inquiry team operate changes or is not fully in their control or
understood. The forecasting regarding disclosure was not accurate because the status of data across the
organisation or indeed the level of preparation needed for the witness preparation and the fact that many
potential senior stakeholders will need separate legal representation were not originally factored in as these
evolved throughout the program.
Clarification around who is permitted to stop the payment of legal invoices is needed going forward as neither
I nor the Inquiry Director have directed that invoice not to be paid (indeed I have advised the business and in
particularly to Inquiry Finance Team of the obligations under the Reporting of Payment Practices Act). That
said, the Inquiry team has acknowledged the report and is seizing the opportunity to introduce our BAU controls
with the new law firm including the use of PON, workstream instruction sheets and caps with the new law firm
so that strict controls will be in place.”
Confidential
POL ARC Meeting-16/05/23
UKG100044336
UKG100044336
Tab 3.3 Internal Audit Report
10. Branch Cash Forecasting (Ref.2022/23-26)
Audit actions: Sponsor: Martin Roberts
ices Reading Room attachment 5
P2 3
P3 1
Needs Improvement Total 6
The Branch Cash Forecasting team (BCF) manage the flow of cash to and from the Branch Network.
This has been managed effectively for many years, using manual processes. There have been
attempts to automate the processes, but these have never come to fruition. Under the Banking
Framework the volume and value of cash movements in the business has increased significantly.
This limited scope review to assess the effectiveness of key controls over Branch Cash Forecasting,
is part of the 2022/23 IA Plan approved by the ARC.
The forecasting of branch cash requirements is applied consistently to the majority of branches
(excludes self-funded branches), but is heavily reliant on accurate and timely cash declarations
submitted by branches. The forecasting process is manual and informal governance is in place to
structure the exchange of information between the cash forecasting function and the Cash Centre,
Network Monitoring and Treasury teams. The processes were documented, however, they were in
draft form and inconsistent in quality. The identification and escalation of excess cash held by
branches is reliant upon the BCF team’s experience, judgement, and discretion.
We conclude that the forecasting of branch cash is generally effective, but carries a risk
of error due to the reliance on manual spreadsheets for its operation. For this reason we
have rated this report “needs improvement”.
Management Comment provided by Russell Hancock, Supply Chain Director
“Firstly I want to thank Garry and the team for their support in auditing the cash forecasting processes and
supporting the Bristol Cash Management Team throughout.
The report findings are no real surprise in terms of the risks around a manual forecasting system that continues
to rely on key individuals for its continued success. That said, the system has been operational now for almost
five years and has successfully helped us continue to ensure branches have the correct and adequate amounts
of cash in order to support their cash activities. This is against a backdrop of continuing rising cash volumes
and some volatility during the pandemic.
The team have continued to ensure that we have robust contingency throughout the process, with more
colleagues able to support the overall cash forecasting and planning process. Some automation of data
gathering has been automated but clear we have some further work to do in order to properly document our
processes and complete the work on further automation. The team will also continue to work with Alison Clark
and her team in order to further bolster the overall resilience and reliability of the process.
My expectation is that this work will be concluded by the end of Q1 at the latest”.
Confidential
POL ARC Meeting-16/05/23 41 of 85
UKGI00044336
UKGI00044336
Tab 3.3 Internal Audit Report
42 of 85
Horizon — IT Operations and Servi -25)
Audit actions: Sponsor: Zdravko Mladenov
ay < Reading Room attachment 6
P2 7
P3 E
Needs Significant improvement Total To
Horizon is Post Office’s core trading platform, processing approximately 7 million transactions daily.
Developed and supported by Fujitsu, Horizon’s wider ecosystem depends on additional components
and infrastructure supported by DXC, Accenture and Verizon. Horizon relies on tools and
components reaching End-Of-Life (EOL) that are challenging to support, and a Data Centre
Fortification programme has been set up to help mitigate this risk.
Maintaining uninterrupted operation of the Horizon system and being able to quickly recover from
any interruptions is critical to Post Office’s ongoing business. We identified effective processes
in place for responding to incidents impacting Horizon, supported by improving
governance and controls around business continuity and IT service continuity
management.
However, additional work is required to proactively plan for issues impacting Horizon operations,
including:
¢ Defining a crisis management plan for Horizon, backed up by fully defined and tested business
continuity plans.
* Defining an overarching IT Disaster Recovery plan, providing integration and coordination
between tower vendor recovery plans and clarifying Post Office’s role.
* Defining and implementing a backup strategy to help ensure systems and data can be restored
in a secure and timely manner, e.g., following a ransomware attack.
« Implementing a Security Information & Event Management (SIEM) solution for the Horizon
back-end to provide timely and effective reporting of security events.
Given the criticality of ensuring that processes and controls are in place to support the resilience of
Horizon as Post Office transitions to NBIT, and the high number of significant findings, we have
rated this report as ‘Needs Significant Improvement’.
Management Comment provided by Simon Oldnall, Horizon and GLO IT Director
“I thank the team for this comprehensive assessment and support the rating and recommendations for
improvements. Horizon remains our core trading platform and whilst it proves to be highly available, we
should not be complacent on the need to have in place additional measures to ensure we can recover in the
event of a significant loss of service.”
Confidential
POL ARC Meeting-16/05/23
UKG100044336
UKG100044336
Tab 3.3 Internal Audit Report
12. ESG Reporting (Ref.2022/23-06)
Ea, Audit actions: Sponsor: Richard Taylor
I ie Reading Room attachment 7
P2 2
P3 1
Total 3
Satisfactory
POL has been reporting under Streamlined Energy & Carbon Reporting (SECR) legislation, in its
Annual Reports & Accounts for the past 3 years. For the 2023/24, there is a requirement to also
report under the Task Force on Climate-related Financial Disclosures (TCFD).
This was a limited scope review to assess Post Office’s approach to ESG management and its
readiness to report under the (TCFD) regulations.
There are sufficient mitigations to assess, manage, and disclose ESG positions and associated risks.
However, the alignment of ESG goals, targets, and strategy with Post Office strategy/priorities is
work in progress and predominantly for internal purposes initially. This will not affect the readiness
to report against the new disclosures for 2023/24.
This audit concludes that there is sufficient understanding of the TCFD-aligned reporting
requirements and planning work is underway, which will ensure that POL are able to
report effectively under the Climate-related Financial Disclosure regulations for UK.
Management Comment provided by Mark Cazaly, Head of Corporate Responsibility & Social Impact
“We are seeing increased scrutiny of our ESG performance by regulators and clients, most notably with the
new requirement for FY2023/24 that we comply with TCFD reporting in our Annual Report and Accounts as
well as requests from banking and bill payment clients to share information under the Carbon Disclosure
Project. Much of this additional burden builds on existing requirements such as SECR where we have a robust
reporting in place already. It is important to note that as POL is considered a private company for the
purposes of TCFD reporting, there are fewer requirements to comply with than PLCs - it is possible that
stakeholders will expect us to go further and voluntarily report in line with the approach for PLCs.
As outlined above, TCFD requires more narrative reporting around how the business is prepared to mitigate
and adapt to climate change, this will be informed by our climate risk assessment and we are putting in place
the necessary steps to be able to report on this as part of our ARA for the current financial year.”
13. SPM — R2 Readiness & Governance (Ref.2022/23-24)
Audit actions: Sponsor: Zdravko Mladenov
(iy «I Reading Room attachment 8
p2 7
P3 :
Major Delivery Risk otal 1
The Strategic Platform Modernisation (SPM) programme aims to replace Horizon with a robust core
trading platform (New Branch IT (NBIT)). NBIT Release 1 (R1) successfully delivered limited
functionality to two branches in October 2022. Release 2 (R2) aims to provide an increased product
set to between two and 40 branches, with Release 3 (R3) delivering most remaining products to an
increased number of branches. At the date of our review R2 was delayed from March to April 2023
and is currently delayed further with no revised date available. The latest communicated date for
R3 has moved from October 2023 to January 2024.
The objective of this review was to evaluate the effectiveness of controls to manage delivery risk
for the R2 milestone pilot and subsequent rollout.
Confidential
POL ARC Meeting-16/05/23 43 of 85.
UKGI00044336
UKGI00044336
Tab 3.3 Internal Audit Report
44 of 85
At the date of our work the structure and governance of the programme was under review, and in
early March it was announced that two programmes would run in parallel. The SPM Technology
Programme would continue to own technology-based activity, including the design, build and test
of all hardware and software requirements, including training design and the Learning Management
System (LMS) build. However, all retail-based change activity was to be assessed and delivered via
the Retail Transformation Programme (RTP). As at the date of writing a governance structure is
now in place for the Retail Transformation Programme (RTP), but governance over the SPM
technology programme is still paused. A Retail Transformation plan is in draft, and once
finalised both plans need to be evaluated alongside each other and mechanisms devised and
embedded for ensuring integration and clarity of ownership between both programmes.
Although several prior key audit recommendations remain open, traceability between test artefacts
and the product roadmap have been strengthened, and two Knowledge Managers and a Head of
Assurance for the Business Transformation Unit (BTU) have been recruited. During and after our
audit, progress has been made with developing a knowledge management approach and addressing
communication issues within and outside the programme. These two problem areas are root causes
for many of our findings.
Slippage to R2 and R3 have already been acknowledged, and the programme is facing
challenges which we believe present a major risk to these revised dates. We also believe
that there is a significant financial risk should delays be extended. On that basis we have rated this
report red, indicating a major risk to delivery.
Management Comment provided by Zdravko Mladenov, Group Chief Digital and Information Officer
“The programme team accepts the Red rating as a reflection of the information provided to the Internal Audit
team during the audit. It is worth reflecting that the audit followed the very intensive DBT Gateway Review
and coincided with the peak strain on NBIT’s technical delivery teams, trying to meet Release 2 timelines
The audit findings reflect agreed areas for improvement. A material portion of those findings were already
recognised by the programme at the time of the audit, which helped crystalise further the opportunities for
improvement. Since the completion of the audit, the programme has declared an approx. three month slippage
in Release 2 and a shift in approach towards a more gradual rollout. The slippage and change in approach will
allow for addressing the audit findings in a suitable timeframe. In addition, the programme has also declared
further slippage in the next release, Release 3. While this release is not in the scope of the audit, the findings
on Release 2 have knock-on effects, which will also be mitigated accordingly.
With regard to the specific finding about the lack of HIJ compliance, the programme has an extensive
documentation repository (Jira board) on how it is responding to HIJ findings, but not formally documented
position. The topic will be covered as part of IDG 2.0.
Lastly, the audit completed prior to the formal establishment of the Retail Transformation Programme. Two
findings are for acceptance and remediation. Those specifically are #3 and #5.”
Progress with the 2023/24 plan
14. The execution of the 2023/24 internal audit programme has only just started and progress
will be reported from the July RCC and ARC meetings.
Status of Audit Actions
15. There are currently 15 actions overdue, six of which are older than 60 days. We are
working with the action owners to close these actions and have escalated to the relevant
GE sponsors where appropriate.
16. The movement and ageing of audit actions are shown in the table below (status as of 2
May 2023).
Confidential
POL ARC Meeting-16/05/23
UKG100044336
UKGI00044336
Tab 3.3 Internal Audit Report
Audit Action Status (POL): Ageing:
Open actions at last ARC 35 Open (not yet due) 20
Less: Actions closed in period 19 Overdue (<60 days) 9
Add: New actions in period 19 Overdue (>60 days) 6
Total open actions 35 Total open actions 35
17. Breakdown of the actions that are overdue for more than 60 days:
Audit / Area No. of actions > 60 days
SPM (3 Internal Audits and 1 DBT Gateway review) 3
Business Continuity 1
Cyber Resilience (Phishing & Ransomware) 1
Postmaster Remuneration 1
18. Update on SPM audit actions:
° SPM programme has made good progress in completion of audit actions. Six
actions were completed since the March ARC, leaving eight actions open (of which
three are overdue more than 60 days). NBIT team are working with RTP to
transfer two actions to the new programme and to agree ownership of new
actions from our recent audit of R2.
. One of the remaining overdue actions is to establish an integrated assurance
approach. The programme has now defined a technical assurance approach,
however, the assurance approach of the wider programme has not yet been
defined. We will create an action for the Retail Transformation Programme to
define and establish its own assurance approach.
POI Audit Programme
19. The table below shows the status of the 2022/23 POI audit programme, which is reported
to the POI ARC:
Proposed Review Status Timing Rating
1 Duck Creek (Home Insurance Revenue) Complete Q3 [Satisfactory I
2 I Demonstrating Independence Complete Q2 Needs Improvement
3 I Consumer Duty Reporting Q4 tbe
4 I Risk Management Postponed Q1 23/24
5 I Third Party Oversight Postponed Ql 23/24
6 __ GI Pricing post implementation Cancelled
20. Demonstrating Independence will be reported to the POI ARC on the 1° of June,
whereafter a summary will be provided to the POL ARC.
Confidential
POL ARC Meeting-16/05/23 45 of 85
Tab 3.3 Internal Audit Report
UKG100044336
UKGI00044336
®
46 of 85
Appendices!
Appendix 1: — Internal Audit Plan for 2022/23
Appendix 2: Internal Audit Report - LINK Scheme Attestation
Appendix 3a: Internal Audit Report - Ransomware Readiness (Summary Memo)
Appendix 3b: Internal Audit Report - Ransomware Readiness (Full Report)
Appendix 4: Internal Audit Report - Legal Costs
Appendix 5: Internal Audit Report - Branch Cash Forecasting
Appendix 6: — Internal Audit Report - Horizon - IT Operations and Service Continuity
Appendix 7: — Internal Audit Report - ESG Reporting
Appendix 8: Internal Audit Report - SPM R2 Readiness & Governance
1 Appendices 1-8 are accessible in the CoSec ‘Reading Room’
Confidential
10
POL ARC Meeting-16/05/23
UKG100044336
UKGI00044336
Tab 4 Data Governance Framework Approval
@
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
selae Data Governance Framework , . th
Title: Approval Meeting Date: I 16" May 2023
Author: Vishal Thanki Sponsor: Zdravko Mladenov
Input Sought: Decision
The ARC is requested to approve the Data Governance Framework.
Executive Summary
The Data Governance Framework sets out how data should be managed at POL. The framework
includes data principles, a data governance maturity model, a target operating model with
associated roles and responsibilities, and a governance structure in the form of a Data
Governance Committee. The request to setup the Data Governance Committee as a standing
sub-committee of GE was approved on 1% March 2023 at GE Tactical, and the inaugural Data
Governance Committee was convened on 24' April 2023. The Data Governance Committee
decided to request approval of the Data Governance Framework at the RCC and ARC as it will
form the direction of travel in relation to data governance maturity across POL. The framework
has been developed over the past few months and shared with stakeholders across CDIO and
POL business units. Based upon this feedback there have been multiple iterations to the
framework, and this is now a mature framework which is ready for approval.
The following supporting documentation has been included in the reading room to support this
request.
- Draft Data Governance Framework v0.12
- Data Governance Committee Terms of Reference
- Data Management Funding Impact of Funding Reduction Paper presented to ARC on 28'"
March 2023
[Strictly Confidential]
POL ARC Meeting-16/05/23 47 of 85
UKG100044336
UKG100044336
Tab 4 Data Governance Framework Approval
48 of 85
7.
12.
What is the driver for creating and adopting a data governance framework at POL?
2. Good data governance within an organisation provides the following benefits:
a. Increased Regulatory Compliance - Data Governance ensures compliance with
legal and regulatory requirements to avoid costly fines and reputational damage.
b. Better Decision Making - Data Governance helps organizations make better
decisions by providing accurate and reliable data.
c. Improved Data Quality - Data Governance ensures that data is accurate,
complete, and consistent.
3. In addition to the above, data governance improvement objectives were created as a
result of the remediation actions from the Horizon Issues Judgement (HIJ).
4. No funding is available within the HIJ Remediation Programme to progress resolution
of the data governance objectives. The roll out of the Data Governance Framework will
improve the data governance capability of the organisation, supporting and facilitating
the HIJ actions in relation to data governance improvement at POL.
5. For clarity, the Data Governance Framework does not directly address any specific HIJ
related data governance actions. However, the improvement of the data governance
capability is expected to support and facilitate the HIJ actions in relation to Data
Governance.
6. Phase 7 of the Horizon Inquiry will focus on governance improvements and progress
on data governance improvements may be included as part of this.
What are the plans in relation to Data Governance Maturity?
8. The Data Management Team aspires to achieve Level 2 maturity by February 2024
based upon the POL Data Governance Maturity Model, however, this is dependent on
Business Units completing activities to achieve Level 2 maturity.
9. Whilst this is an aspiration from the Data Management Team, the business units have
an action from the inaugural Data Governance Committee to provide a roadmap to
achieve Level 2 Maturity.
10.Despite limited funding and resource for data governance activities, basic
improvements can be made across the organisation; i.e. Level 2 maturity can be
relatively quickly established. More advanced and resource intensive activities, i.e.
achieving Level 3 Maturity or beyond, will require decision making to prioritise these
for key areas within each business unit; this strategic direction, oversight and decision
making will be provided by the Data Governance Committee.
11.It is important to note that whilst plans for maturity improvement are described here,
data governance is an ongoing business as usual activity and POL will need to
incorporate these activities into BAU to sustain any maturity improvements.
What is the POL Data Governance Maturity Model?
13.The POL Data Governance Maturity Model is part of the Data Governance Framework
and describes the characteristics, deliverables and criteria at various maturity levels
from 1 to 5, with 5 being the most mature. It uses the DAMA-DMBok' as a reference
point to articulate the activities that POL needs to demonstrate to achieve data
governance maturity improvements.
* DAMA-DMBoK refers to the Data Management Association (DAMA) Data Management Body of Knowledge (DMBok) and is a
comprehensive guide to international data management standards and practices for data management professionals.
[Strictly Confidential]
POL ARC Meeting-16/05/23
UKG100044336
UKG100044336
Tab 4 Data Governance Framework Approval
14.Whilst the POL Data Governance Maturity Model uses the DAMA-DMBok as a reference
point, it has been interpreted and significantly customised to suit the context of POL in
terms of focus areas, complexity and resource available for Data Governance Maturity
at POL. This is industry practice; to customise data frameworks and maturity models
to the context of the organisation within which they are being implemented and
adopted. Further, as the organisation evolves these may change to reflect either
external or internal changes leading to different focus areas.
15.The maturity model described in the DAMA-DMBoK has been interpreted into
deliverables both for the Central Data Management Team and the business units across
POL. This interpretation drives the formation of the Data Governance Maturity
Dashboard which will be used to assess and track data governance maturity progress
for the business units.
16.The above is detailed in Appendix 1.
17.It is important to note that the POL Data Governance Maturity Model has consciously
been created such that the assessment is simple, light touch and objective requiring
relatively little effort to complete. Organisations can spend several months performing
thorough assessments requiring significant engagement across the business. This is
currently difficult to achieve considering the current business environment at POL;
specifically the resource constraints both within the Data Management Team and the
business units.
18.Version 0.10 of the draft Data Governance Framework was discussed at the inaugural
Data Governance Committee. Material suggestions for updates have been incorporated
into this version, version 0,12. This version includes and incorporates feedback from
participants including Anshu Mathur, Group Assurance Director, and Ben Foat, Group
General Counsel.
19. When has Data Governance previously been discussed at ARC?
20.Data Governance was previously discussed at ARC on the following dates:
a. Agenda item “Data Governance Framework” on 28th September 2021 as a
Noting Paper.
b. Agenda item “Data Management at POL” on 29th March 2022 as a Noting Paper.
c. Agenda item “Impact of Data Management Funding Reduction” on 28th March
2023 as a Discussion Paper.
21.This topic has been discussed on numerous occasions at RCC, with the latest being on
gt May 2023 to request approval of this Data Governance Framework and its onward
submission to ARC. This approval was granted.
Risk Assessment, Mitigations & Legal Implications
22. Significant detail was provided in terms of risks in relation to data management as part of
the ARC discussion paper presented on 28'" March 2023. This has been added to the
reading room for reference.
23. There is an open enterprise risk owned by Zdravko (ID: RKO020009, Name: Information)
which has an inherent and residual score of 12 and needs to be mitigated. The creation
and roll out of the Data Governance Framework is part of the mitigation of the enterprise
risk and the following downstream Information risks; these downstream risks were
[Strictly Confidential]
POL ARC Meeting-16/05/23 49 of 85
Tab 4 Data Governance Framework Approval
50 of 85
included in the letters to BEIS submitted in Dec 2022 and late Jan/early Feb 2023
escalating some key POL risks.
UKG100044336
UKG100044336
ID Name Severity I Appetite vA
Tolerance
RKOO21710 I Inadequate Data Governance for I 9 Outside appetite,
structured data? currently within
tolerance
RK0021709 I Poor management of unstructured I 12 Outside appetite
information? (hard copy material and and outside
unstructured digital information such tolerance
as documents saved in SharePoint)
Stakeholder Implications
24. The Deputy Data Sponsors, which drive data governance maturity for their business unit,
are working to adopt the framework and have open actions to progress this, It was agreed
at the Data Governance Committee that the Deputy Data Sponsors would progress this in
parallel to the Data Management Team seeking approval of the framework from ARC.
Next Steps & Timelines
25. Publish version 0.12 of the Data Governance Framework as a version 1.0 after approval at
ARC.
26. There are various open actions after the inaugural Data Governance Committee, however,
the key actions with Deputy Data Sponsors are as follows:
Complete initial
maturity
assessment
Identify Data
Owners
Provide
Business Unit
Roadmap to
achieve Level 2
Description Due Deits
Work with the Data Management Team to assess 15" June 2023
the current maturity of the business unit.
Work with stakeholders within the business unit to 22"¢ June 2023
identify Data Owners. Guidance has been provided
in the “Data Owner Identification Guidance.docx”
document provided.
Work with Data Owners and the Data Management 15*" July 2023
Team to plan completion dates for activities
required to achieve Level 2 maturity as part of the
Data Governance Framework.
? Structured data is data that has been pre-defined and formatted to a set structure before being placed in data storage. For
‘example, data stored in fields in a system such as Credence or CFS.
3 Unstructured information/data is either physical or digital and is not organized in a pre-defined manner; for example, physical
paper documents, or digital documents such as email, Word, PowerPoint or PDFs saved in digital storage solutions such as
SharePoint.
[Strictly Confidential]
POL ARC Meeting-16/05/23
Tab 4 Data Governance Framework Approval
UKG100044336
UKGI00044336
Appendix 1
POL Data Governance Maturity Model
the P04 i ever Matai NRE” thy od theshnctrnten Ht in mui Stn Ad A She i a ty
POL Data Governance Maturity Model —
Criteria and Metrics
TT] Entel /ad Hoe
5, Optimised
[Strictly Confidential]
POL ARC Meeting-16/05/23
51 of 85
UKG100044336
UKGI00044336
Tab 4 Data Governance Framework Approval
[Strictly Confidential]
52 of 85 POL ARC Meeting-16/05/23
UKG100044336
UKGI00044336
Conclusions from the
Banking Framework
assurance engagement
POL ARC Meeting-16/05/23,
UKG100044336
UKGI00044336
Tab 6 Outcomes from the Banking Framework assurance engagement. Full report is in the reading room.
Overview of Non-audit assurance engagements conducted during the
year ended 31 March 2023.
We perform a number of audit-related services and non-audit assurance engagements for Post Office Limited ("POL") during the course of the year. These are closely
connected with our role as auditor and each of these is subject to approval by the Audit and Risk Committee ("ARC") on an annual basis. Below is a summary of the
various engagements, as well as a summary of the timing of our reporting to management / ARC in respect of each.
Service Description Timing Status
DVLA “agreed upon This engagement is to corroborate a sample of DVLA revenue per POL's Report signed May 2022 ‘Compiete ~ included within
procedures” systems (CFS) to payments made to DVLA. The purpose of this AUP is to assist ARC report July 2022
POL in fulfilling its reporting obligations under the Client Service Agreement
between POL and the DVLA.
BoE — Note ‘As part of POL's participation in the Bank Of England ("BoE") Note Circulation Report signed May 2022 ‘Complete — included within
Circulation Scheme Scheme ("NCS"), POL is required to obtain assurance over the controls it ARC report July 2022
controls ‘operates in respect of seven control objective areas (as defined by BoE). We
provide a reasonable assurance opinion over POL's description of its NCS
control environment, as well as the suitability of the design and operation of
POL's controls to address BoE's control objectives.
Branch Network POL prepares a network numbers report which contains information relating to Report signed August 2022 Complete — included within
reporting -limited the POL network size, branch types, and location of branches for submission to ARC report January 2023.
assurance reporting UKGI and BEIS. In order to gain greater comfort over some of the information
reported in the network numbers report, we provide an ISAE 3000 limited
assurance opinion over certain POL reported KPIs.
Royal Mail “agreed This engagement is to corroborate the weekly revenue reported to Royal Mail to Report signed November 2022 Complete — included withir
upon procedures’ _POL's systems / bank statements, The purpose of this AUP is to assist POL in ARC report January 2023.
{ulling ts reporting obligations under the Distribution Agreement with Royal
Mail
BEIS “agreed upon This AUP engagement isto recalculate a sample of the monthly covenant Report signed November 2022 Complete ~ included within
procedures” calculations reported by POL to BEIS in accordance withthe terms of is loan ARC report January 2023
agreement with BEIS.
Banking Framework - POL has engaged PwC to perform a limited assurance engagement over Phase 1 findings sharedin Complete - 169 page report
limited assurance POL's description of its activites in relation to the requirements of the December 2022 issued to management
reporting “Terms and Conditions to Members of Post Office Banking Counter ‘Summary included within this
Services Framework version 2.3" as at 30 September 2022, that form Mae coos as concluded may ARC report
POL's obligations under the Banking framework.
Post Ofice Lid
Poet May 2023
54 of 85 POL ARC Meeting-16/05/23,
UKG100044336
UKGI00044336
Tab 6 Outcomes from the Banking Framework assurance engagement. Full report is in the reading room.
Background to the Banking framework assurance
engagement
POL engaged PwC o perform a limited assurance engagement over POL's description of its activities in relation to the requirements of the "Terms and Conditions to
Members of Post Office Banking Counter Services Framework version 2.3" as at 30 September 2022, in connection with Post Office’s reporting obligations under clause
15 of the framework
The engagement was split into two phases ~ obtaining an understanding and performing walkthroughs of relevant processes and systems (phase one) and testing
operating effectiveness of those processes and systems (phase two)
The phase one report was issued on Sth December 2022 which concluded walkthrough testing for all relevant Banking Framework requirements in scope apart from
‘Schedule 6, A summary of this report was presented al the January 2023 ARC, and management presented its response to these findings to the last ARC in March 2023.
We have completed Phase 2 of our work and issued our assurance report to POL management on 27 March 2023. Management have also now released our report to
the Banking Partners.
We issued an ‘except for" qualified opinion, meaning that, regarding the 328 individual Banking Framework clauses that were within the scope of the engagement, we:
‘* qualified our assurance opinion in respect of 16 clauses, where our sample testing identified that processes were not always operating as intended, or that
limited evidence could be provided to support the operation of the process, such as:
Use of shared logins by branch staff, and the delayed removal of logins following staff members leaving POL:
Evidence of certain processes not being possible to share outside of POL due to these having been performed by third parties;
Being unable to inspect evidence of staff and Postmaster vetting due to the decommissioning and replacement of the vetting management system;
Legacy Postmaster contracts not containing clauses relating to confidentiality and data protection; and
‘© Some branches not following the prescribed policy for cheque encashment.
‘* included an “emphasis of matter’ paragraph, in respect of 20 clauses, to emphasise POL's own asser
Banking Framework’s requirements, such as:
© There being no monitoring of subcontractors’ compliance with the Banking Framework;
‘©The network transformation report no longer being issued; and
© Certain Committees not having met as frequently as defined within the Framework.
'* raised an “other matter" paragraph to highlight that some processes could not be observed as the trigger for their operation (e.g. the need for POL to Inform the
Banking partners when a certain scenario occurs) had not occurred in the period under review,
‘A 169 page report (comprising the Banking Framework requirements, POL’s self-assessment of how its processes align to these requirements, and PwC's testing and
results) accompanies our assurance opinion. Management have already drafted action plans to address each of the points, with assigned owners.
5 that its processes were not always fully aligned to the
Post Ofce Lis
Poet May 2023
POL ARC Meeting-16/05/23, 55 of 85
UKG100044336
UKGI00044336
‘Tab 6 Outcomes from the Banking Framework assurance engagement. Full report is in the reading room.
pwe.co.uk
56 of 85 POL ARC Meeting- 16/05/23
UKG100044336
UKGI00044336
Tab 7 Policies for Approval
@
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
Title: Policy Update Meeting Date: I 16" May 2023
. Jonathan Hill Group
Reena Chohan, Policy - .
Author: , ' Sponsor: Compliance Director / Ben
Compliance Manager Foat, Group General Counsel
Input Sought: Approval
The Committee is asked to review and approve the following updated policies for the business
to take forward:
i. Internal Audit Charter;
ii. Business Continuity Management Policy;
iii. Speak Up Policy and
iv. Group Legal Policy
Previous Governance Oversight
Risk & Compliance Committee (RCC) 9'* May 2023
Executive Summary
This paper provides a summary of changes that have been made to the policies below as part
of their annual review process for the ARC to consider.
Questions addressed
1. Which policies were updated in this annual cycle review?
2. What updates were included and why?
3. What is Compliance’s assurance view of the status / Minimum Controls Standards for
each policy?
Which Group policies were updated in this annual cycle review?
In this review cycle the following group policies were revised, reviewed and updated as per the
annual review process.
Policy ILast Updates IGE Sponsor (Governance
IReviewed lApproval Body
nternal Audit Charter May 2021 IMinor updates this IGroup Chief RCC & ARC
jannual review Finance Officer
Business Continuity [May 2022 IMinor updates this Group Chief RCC & ARC
Management Policy jannual review Finance Officer
[Speak Up Policy March 2022 IMinor updates this IGroup General RCC & ARC
jannual review ICounsel
Group Legal Policy [2019 The policy has recently IGroup General RCC & ARC
[been updated using the ICounsel
IGroup policy template
jand has been prepared
Confidential
POL ARC Meeting-16/05/23 57 of 85
UKG100044336
UKG100044336
Tab 7 Policies for Approval
58 of 85
IGroup Key policy.
I Er publication as a
What updates were included and why?
1. A summary that identifies the changes and updates to the policies and statements have
been added below:
2. Internal Audit Charter: The policy has had Minor changes and the following updates
were made to the policy this annual review:
a) Policy moved to new internal policy template
b) Minor updates such as job titles.
The policy owner has confirmed in their attestation, that the Minimum Controls identified in
the policy are in operation and can be evidenced. These controls are owned and operated by
the Internal Audit team and are carried out as BAU activities.
3. Business Continuity Management Policy: The policy has had Minor
changes and the following updates were made to the policy this annual review:
a) Revised risk tolerance statements.
b) Minor amendments to the minimum control descriptions.
c) Business Continuity Framework Strategy document included in additional policies section
The policy owner confirmed in their attestation that the controls for Business Continuity
Management Minimum Control Standards can be evidenced as working. A biennial BIA
programme is completed with Business Continuity Plans created. BC training is completed
with a set group of colleagues to manage incidents effectively and tests are conducted
throughout the group. Building resilience reviews are ongoing to ensure they meet our
recovery strategies.
4. Speak Up Policy: The policy has had Minor changes and the following updates were
made to the policy this annual review:
a) The language changing Whistleblowing to Speak Up
b) Changing all ‘Whistleblowing’ terms to ‘Speak Up’
c) Adding the recommendations by EY following External Review of the Speak Up function;
d) Speak Up Champion role amended as per 1.10
e) Adding other contacts to 1.12 as per recommendation in EY Report.
f) Review of external contact details
The policy owner confirmed in their attestation that assurance is currently being carried out on
the Speak Up Team together with an external Review of the Speak up process and procedures
conducted by EY. Recommendations will be detailed in their Report.
Confidential
POL ARC Meeting-16/05/23
UKG100044336
UKG100044336
Tab 7 Policies for Approval
5. Group Legal Policy: The Legal Policy was written in 2016 and implemented locally
within the Legal Team from that date. It has recently been updated using the Group policy
template and has been prepared for publication as a Group policy. The following updates
have been made to the policy:
a) following GLO, incorporating risk appetites and tolerances, new policy requirements and
specific controls for historic matters.
The Minimum Control Standards stated within the policy are based on well-established Post
Office processes, with new specific controls for Historic Matters being recently incorporated into
the policy. As the Legal Policy will now form part of the Group Key Policy Framework, the policy
will be subject to a Policy Assurance Review, which will be conducted by the Policy Compliance
Manager in the future.
Assurance
Assurance reviews on Group Key Policies has been put on hold whilst the Policy Compliance
Manager assists on Historical Matters Assurance activity. Postmaster Support Policy assurance
reviews are still being conducted for the remainder of the year, this is to support and coincides
with the work being done on Historical Matters.
4. The policies in both clean and tracked changed versions can be found in the reading room.
5. Conclusion
We continue to work with Policy Owners and Company Secretariat to ensure we maintain our
policy governance responsibilities and undertake assurance that the polices are working as
expected. This is a key part of the wider Post Office controls work.
Policy Appendices
Internal Audit Charter (Clean)
Internal Audit Charter (Track Changed)
Business Continuity Management Policy (Clean)
Business Continuity Management Policy (Track Changed)
Speak Up Policy (Clean)
Speak Up Policy (Track Changed)
Group Legal Policy (Clean)
NOUS WN
Confidential
POL ARC Meeting-16/05/23 59 of 85
UKG100044336
UKGI00044336
Tab 8 Committee Evaluation
POST
OFFICE
POST OFFICE LIMITED
AUDIT, RISK AND COMPLIANCE COMMITTEE REPORT
Audit, Risk and Compliance .
Title: I (ARC) Committee Evaluation I HECting 16 May 2023
2022/23 .
. I Marie Molloy, Senior Assistant . . f
Author: Company Secretary Sponsor: Simon Jeffreys, ARC Chair
Input Sought: Noting, Discussion & Decision
The Committee is asked to:
e NOTE and DISCUSS the ARC Committee Evaluation for 2022/23 (Appendix 1).
« APPROVE the recommended areas and actions to address points raised for improvement.
Previous Governance Oversight
¢ The Nominations Committee approved the 2022/23 ARC evaluation questionnaire at its
meeting on 6th December 2022.
e An externally facilitated evaluation was conducted of the Board and its Committees for
2020/21 and will be undertaken again in 2023/24'.
Executive Summary
The 2022/23 ARC evaluation questionnaire mirrored that of 2021/22 to allow like for like
comparison. The ARC Members as at February 2023 and the Group CFO, General Counsel,
Director of Compliance, Head of Risk, Director of Internal Audit and Risk Management and Head
of External Audit were invited to complete the questionnaire?.
Across all evaluation areas the effectiveness of ARC was rated? as ‘very good’ which is broadly
in line with prior year ratings:
¢ Skills, experience, diversity, knowledge Average score 4.6 (LY 4.4)
e Leadership, ways of working, time management Average score 4.4 (LY 4.5)
* Information and Support Average score 4.0 (LY 3.8)
The evaluation feedback was that the Committee continues to remain effective, despite the
headwinds and challenges faced by the Post Office. Positive comments were made regarding
the interaction and engagement with the external auditors and the internal audit function. The
approach of the committee in relation to providing an effective challenge to management and
holding them to account, whilst still being supportive was remarked upon.
The two areas which may require further focus and improvement are:
e Assuring that compliance with the regulatory landscape is adequately managed and
reported (score 3.6 (LY 3.8)); and
¢ Quality of papers and presentations received by the Committee (score 3.9 (LY3.5)).
* The UK Corporate Governance Code and the Corporate Governance Code for Central Government Departments both stipulate that there should be an annual evaluation of the Board
‘and its Committees which should be externally facilitated at least once every third year.
2 Recently appointed ARC Chair and a non-executive Director were therefore excluded.
3 key 5 =Excellent 4= Very good 3=good/ at required standard = Requires development 41 = Requires significant development
Strictly Confidential
60 of 85 POL ARC Meeting-16/05/23
UKG100044336
UKG100044336
Tab 8 Committee Evaluation
The actions arising from the 2021/22 ARC evaluations have all been addressed.
Report
How do the responses of 2022/23 compare with 2021/22?
The overall average evaluation scores at ‘very good’ were broadly in line with prior years, and
all scores were of or above 3.6 (3 = “good/ at required standard”).
The Membership of the Committee and the executive contributors had been stable during the
period in which the evaluation questionnaires were undertaken in, so the pool of questionnaire
participants was very similar.
The higher scoring questions are summarised below:
Sections Question 22/23 I 21/22
B Leadership, ways How would you assess the Chair’s encouragement of 4.8 5.0
of working, time debate within the Committee, including ensuring that all
management members are able to contribute to the discussion?
How would you rate the Committee's understanding of the
following areas of the Business:
i. Financial reporting and management 4.8 4.3
A Skills, experience, iv. Internal Audit 4.7 4.3
diversity, knowledge v. External Audit 4.7 4.3
How appropriate is the composition of the Committee for 4.7 4.5
the requirements of the business?
The lower scoring questions are summarised below:
Sections Question 22/23 I 21/22
How comfortable are you that compliance with the 3.6 3.8
C Information and regulatory landscape is adequately managed and reported? _
Support How would you rate the quality of papers and 3.9 3.5
presentations received by the Committee?
The lower scoring questions and comments in our opinion reflect the challenge of addressing
the range and breadth of ARC topics across Post Office and should be read in conjunction with
the positive approach adopted by the Committee in providing an effective challenge to
management and holding them to account, whilst still being supportive.
The timing of the December 2022 and January 2023 ARC were commented upon as being too
close together. The proposed re-scheduling of the ARC dates to 27 November 2023 and 29
January 2024 will allow a sufficient gap to facilitate branch support, contractor furlough and
leave during this period.
Proposed actions
Whilst acknowledging the ARC has been evaluated as ‘very good’, we have proposed the
following actions to address the areas of relative lower scores and constructive feedback:
i. ARC coverage to ensure all key risk areas are reviewed to provide a holistic view of
the control and operational risk environments within POL, particularly those exposed
legal and regulatory environments;
Strictly Confidential
POL ARC Meeting-16/05/23 61 of 85
UKG100044336
UKG100044336
Tab 8 Committee Evaluation
62 of 85
ii. Strict enforcement of templates and ensuring papers in the reading room are
appropriately cross referenced and or summarised in the main pack.
In addition, to continuously improve the effectiveness of ARC, the following changes are to be
considered:
i. Enhance coverage of lines of defence to ensure this is adequate to provide early
warning/lead indicators;
ii. whether a balanced scorecard regarding Postmaster detriment should be developed;
iii, The Committee formally review the ‘ Forward Plan’ on a 6 monthly basis to ensure
this remains in line with the risk profile of POL.
Actions and status from the Committee Evaluation 2021/22
The actions from the Committee Evaluation 2021/22 and their status are as follows:
1. Deep dives on key areas are continued to ensure the Committee is appropriately
sighted, with the Committee to consider whether Deep dives are attended by the first
line as well as the second line to widen the perspective.
Status: Completed - Deep Dives completed on an annual basis. Head of Internal Audit
and Interim Group Compliance Director attend ARC to widen the perspective.
2. The Committee Members engage in an annual dialogue to agree where the Committee’s
focus areas for the coming year should be.
Status: Completed - ARC ‘Forward Plan’ is created and presented to ARC in every
meeting.
3. The Committee review the calibre of materials provided by management and consider
requesting management to provide revised reporting templates.
Status: Completed - Updated paper template and guidance provided. The materials are
also reviewed by the RCC to assess quality.
4. The Committee review their Annual Work Plan to assess for any areas of refinement
Status: Completed - The Company Secretariat continues to utilise and develop the
forward plan, which is included as an item for noting at each ARC meeting.
Next Steps
If the Committee accepts the recommendations in the report, it will be asked to consider
incorporating the recommendations into the forward plan for the Committee at its next
scheduled periodic meeting on 10 July 2023.
Strictly Confidential
POL ARC Meeting-16/05/23
UKG100044336
UKGI00044336
Tab 8 Committee Evaluation
PO
OFFICE I
Appendix 1 - ARC Evaluation Questionnaire
2022/23
(_‘s= excellent I 4=Very good I 3 =good/ at required standard I 2 = Requires development _I 1 = Requires significant development
Question 2021/22 2022/23
Average Average
A. Skills, experience, diversity, knowledge
1. How appropriate is the composition of the Committee for the I 4.5 47
requirements of the business?
2. How would you rate the Committee’s understanding of the
following areas of the Business:
i. Financial reporting and management 4.3 4.8
ii. Operational and Financial Risk Management 4.3 4.2
iii. Compliance 4.5 4.2
iv. Internal Audit 4.3 47
ve External Audit 4.3 4.7
B. Leadership, ways of working, time management
3. How would you assess the Chair’s encouragement of debate 5.0 4.8
within the Committee, including ensuring that all members 1-N/A
are able to contribute to the discussion?
4. How effective is the Committee at focussing on the right 4.2 4.3
issues?
5. How effective is the Committee at providing both challenge 4.3 4.0
and support to management?
c Information and Support
6. How effective is the Committee at testing the information 3.8 4.1
provided by management and external advisers? 1-N/A
7. How would you rate the quality of papers and presentations 3.5 3.9
received by the Committee?
8. How comfortable are you that compliance with the regulatory I 3.8 3.6
landscape is adequately managed and reported?
9. How would you rate the management information received by I 3.2 4.0
the ARC and its timeliness (i.e. is it the right information at 1-N/A
the right time to provide you with the assurance you need
and the understanding of the business you need)?
10. How would you rate the access you have to any additional 4.2 4.4
information and support you need to fulfil the requirements of I 1 - N/A
your role (i.e. from management, secretariat or from external
advisers, where required)?
11. Are the frequency and length of ARC meetings appropriate? Yes =6
No
12. Are issues brought to the ARC at an appropriate time? Yes =5
No =
13. Are there any issues or topics that are not discussed that Yes
should be considered at the Board? No = 3
N/A =2
Strictly Confidential
POL ARC Meeting-16/05/23 63 of 85
Tab 8 Committee Evaluation
UKG100044336
UKG100044336
Question 2021/22 2022/23
Average Average
14. I Does the ARC have sufficient time in private to discuss Yes =2 Yes =7
matters of concern? No=2
N/A =4
.
.
Additional Comments
It is a really well chaired and run committee.
ARC agendas are very full. And the papers are voluminous. This places significant
demands on members of the ARC to read and digest the papers.
I think the frequency of the ARC meetings is too frequent, in particular the timing of the
december and january ARC, December is a very busy period with focus on time away
from the office to provide branch support, christmas break and the reports are required
immediately following the Christmas break, it places a lot of pressure on colleagues to
respond to actions, progression of actions can be slow at this time of the year, factoring
in change freeze, contractor furlough
This year we have had issues with regulatory compliance staffing (now sorted) which
appeared to come as a surprise and I think resulted in weaker oversight from ARC. We
had a similar issue with cyber controls being de-prioritised. Under the new head of
compliance I can see better reporting starting but I worry that ARC do not have an
effective line of sight when control frameworks aren’t working as designed.
Compliance rating reflects that fact that we do not have adequate 2nd line of defence
and are having to make compromises due to funding
ARC has a large agenda and has to deal with a wide array of risks. Some risk areas
seem to fall outside of ARC and go to the Board which might perhaps get more focus at
ARC - examples include IDG (CIJ/HIJ compliance), major projects. Both are areas of
significant ongoing concern. It is also noteworthy that data management, which seems
to have been under-invested in for years, has now become a focus for the organisation
perhaps as a result of the Inquiry - should this issue have been a bigger focus for ARC?
While the frequency and length of ARC meetings are appropriate for the complexity of
the business, I think that some topics / agenda items could be presented less frequently
to allow for deep dives into other matters. For example, the risk update, internal audit
update and compliance update could be reduced to alternative meetings or with shorter
exception reporting only at alternative meetings.
Carla has been an outstanding Chair and Board director. Zarin provides insightful
observations. I am concerned about the capability and expertise once both of those
directors leave the business.
15. I Please comment on the effectiveness of the interaction with Internal Aud
From our perspective the IA interactions are effective, and they highlight the key issues
through their papers.
Good. Cannot comment in any detail.
Excellent
good interaction and clear reporting providing transparency of audit reports/actions
Good - reports and recommendations are much more clearly articulated and combining
risk with JA has strengthened the team.
"Always open, honest and clear. iA are independent and it is a solid function that adds
value to the organisation and the committee. They are trusted and respected
The co source operations is effective "
The interaction is good. I wonder however whether IA calls out loudly or persistently
enough the issues it finds.
I believe that the committee has unrestricted, open and honest interaction with Internal
Audit. The Head of Internal Audit has unrestricted access to all members of the
Strictly Confidential
64 of 85
POL ARC Meeting-16/05/23
UKG100044336
UKG100044336
Tab 8 Committee Evaluation
Question 2021/22 2022/23
Average Average
committee and regular private sessions with the chair (every second month) and with
the full committee (every 6 months).
e Excellent. ARC takes considerable interest and reviews Internal Audit at every meeting
without fail.
16. I Please comment on the effectiveness of the interaction with External Audit.
«They attend the sessions and are always happy to provide their opinions on wider
control issues.
« There are regular sessions with the ARC Chair and the PwC partner/ director ahead of
every ARC meeting. This ensures that the ARC Chair is well briefed on all external audit
related issues - and has the opportunity to challenge / ask questions. This works well.
° Excellent
* good interaction and engagement with regards to External auditors
e PwC provide a thorough audit and they provide a good and detailed audit report on the
key estimates and judgements. The team at PwC have been very supportive in what has
been a tricky year for the annual accounts.
« Open and honest dialogue with clear decision points and transparent communications.
Expectations of both organisations are well managed and EA make a full contribution at
committee meetings. The team are strong
* Overall good
« From what I have observed, the interaction with External Audit is unrestricted and
effective. The committee also holds private sessions with the external auditors at least
every 6 months.
« Very effective particularly PWC. ARC should encourage the use of more external audits
particularly on NBIT, IDG operational and cultural improvements, HMU... those areas
where parties outside of POL are unlikely to just accept a POL position given the
historical issues.
17. Please include any thoughts you have about the operation of the Committee and any
ideas for its future operation.
« I know this may be in process, but areas of concerns (operational risk, regulatory risk
and inquiry related risk) should be subject to regular deep dives.
* The retirement from the Board of the current AC Chair means that the ARC is losing a
highly diligent, thoughtful and effective ARC Chair. Given the breadth and depth of the
current ARC remit - finding someone to continue this significant and detailed work will
not be easy.
e With Carla and Zarin leaving we have a massive understanding gap on financial matters
with no one who know how to run a business of the size of POL
« The frequency to be reviewed, consideration of financial year end, summer break and
Christmas period
« As Isaid last year the ARC has a very extensive agenda and I would recommend that we
think about developing a forward agenda that prioritises discussion time on the biggest
issues and does the rest through shorter papers or by exception only. The big topics
coming at us are NBIT governance and assurance which is weaker than it should be,
regulatory compliance, cyber controls and effective operational controls around PM
policies
« The committee will need to respond to the fact that the company is operating outside of.
risk tolerance due to the funding. There are also fewer resources internally to provide
oversight.
« See above
« The operation of the committee continues to be effective, despite the headwinds and
challenges faced by Post Office. The committee has adjusted its focus and appetite in
6
Strictly Confidential
POL ARC Meeting-16/05/23 65 of 85
Tab 8 Committee Evaluation
@
UKG100044336
UKG100044336
Question
2021/22
Average
2022/23
Average
line with changing circumstances and risk profile of the business. The committee (and in
particular the new members of the committee) will benefit from having deep dive
presentations at the ARC meetings by key areas of the business on a rotational basis.
With so many challenges being faced by the business, I think the committee has
managed to adopt an approach that is effective in challenging management and holding
them to account, whilst still being supporting and understanding.
More of Carla, Zarin and Ben....
66 of 85
Strictly Confidential
POL ARC Meeting-16/05/23
UKG100044336
UKG100044336
Tab 11.1 Procurement Governance & Compliance
POST OFFICE LIMITE
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
selae Procurement Governance & , .
Title: Compliance Report Meeting Date: I 16 May 2023
Alisdair Cameron, Group Chief
Author: Liam Carroll - Procurement Director I Sponsor: .
Finance Officer
Input Sought: Noting
The Committee is asked to review the report, noting the Procurement Risk Exceptions submitted
to the Post Office Limited Group Executive and Board since March 2023 A visual breakdown of
all Open incidents on 1 May 2023 is available in Appendix 1.
Executive Summary
Since the last ARC report in March 2023 there have been two Procurement Risk Exceptions
submitted to the Group Executive and Board for approval. Our overall non-compliance value
has increased by £9.9M to £12.7M. This is due to additional spend of £1.1M with Zunoma for
the provision of Secure Print and Insafe International Ltd where spend has exceeded contract
value by £9.3M. The resolution of the non-compliant contract with G4S for cash distribution
has removed £0.5M of risk.
There are a number of issues with the data quality of contracts held in the Web3 system which
may lead to the discovery of further non-compliance. A paper is being prepared by Legal and
Procurement setting out the issues and improvement recommendations and will be brought to
RCC in June 2023.
Report - Insafe International Ltd
1. In June 2018 Post Office compliantly let a contract for the supply and installation of branch
cash safes and associated equipment (timers, locks etc) for an initial five-year term with
three optional twenty-four-month extensions with a total contract value of £3.8m.
2. Although BAU spend has been well managed at £2M, an additional £9.9M has been spent
on non-BAU projects. Current spend has reached £11.9M with a projected additional spend
of £1.2M to March 2024.
3. This over-spend represents a significant failure to adhere to the Contract Management
Framework
4. The increase in spend is considered to be a Substantial Modification under Regulation
72(8) of the Public Contracts Regulations 2015 (PCR). Substantial Modifications are not
ermitt r PCR unless the: re any ex: n ly on_ however, in this instance
CONFIDENTIAL
5. The risk of a challenge arising is low and further mitigated by the plan to re-procure by
October 2023 however, the possibility of challenge exists on the grounds that had potential
suppliers in the market known of the value, they would have bid for the contract at the
time.
6. If Retail are unable to purchase safes and associated equipment Post Office branch
opening programmes would be negatively impacted, as would the ability for the Physical
Security team to mitigate branch issues in securing cash on-site leaving Postmasters at
risk of robbery and increased losses.
Confidential
POL ARC Meeting-16/05/23 67 of 85
UKG100044336
UKG100044336
Tab 11.1 Procurement Governance & Compliance
Report - Zunoma
7. Board approved a non-compliant direct award to Zunoma for secure print in November
2022. The contract was awarded to allow POL to continue pay-out services to customers
under various schemes such as the Warm Home Discount Scheme and to meet our
contractual obligations with utility companies.
8. By increasing the spend by £1.1M it will take the total contract value to £2.7M. The reason
for the increase in spend, is due to the successful delivery of numerous schemes (EBSS.
being the main scheme). Post Office has gained more clients, leading to an increase in
additional schemes that clients have chosen to place with POL. This has meant a bigger
increase in spend than anticipated.
9. As the direct award to Zunoma was not compliant with the Public Contract Regulations we
cannot rely on any Regulatory exemption for this modification. It remains Procurement’s
view that we are unlikely to receive a challenge to this direct award or modification.
10. Procurement is currently working with an existing supplier, HH Global to bring the secure
print services within the scope of their contract by June 2023, this is a compliant route.
Confidential
68 of 85 POL ARC Meeting-16/05/23
UKG100044336
UKGI00044336
Tab 11.1 Procurement Governance & Compliance
®
Owen ACI £392,380 14/04/2020
Woodley
Banking Services I Commercial I Owen I Barclays I £320,000 25/06/2020 I 16/03/2025
Board
Woodley
Payout Services Commercial I Owen I Zunoma I £2,700,000 I 01/09/2020 I 30/06/2023
Board
Woodley
Property Retail Martin I Insafe I £9,300,000 I 06/06/2018 I 31/10/2023 Board
Roberts i
‘£12,712,380
CACI - Board approved direct award in April 2020
The items purchased through CACI are OCEAN & FRESCO, which are attitudinal segmentation, that when applied to
the POST Office customer database (BRANDS) allows us to do the following:
Provides the underlying data which enables the new Post Office customer segmentation
This enables us to then run counts in BRANDS of how many customers we have in each of these segments
FRESCO & OCEAN are also the underlying data that powers our CRM propensity modelling.
There is currently no framework in place for these tools and to run an FTS procurement would take at least 6 months.
At this date there is no appetite for an FTS procurement to take place as we would have to re-create the entire Post
Office Segmentation every 2-3 years to accommodate another vendor.
Banking Services - Postal Orders and Camelot Cheques. Service originally with Co-Op. they terminated the contract in
order to exit cheque clearing market. Barclays stepped in to pick up service as very similar to cheque clearing. As
agreed with Board in November 2021 the corporate banking contract with Barclays was extended compliantly under
Reg 72 of PCR 2015. Given the synergies of the contracts and the uncertainty over Camelot’s contract for the National
Lottery it was agreed to continue the contract with Barclays for Camelot Cheques and Postal Orders.
Payment Services — Board approved direct award in November 2022. Zunoma (previously Smith & Ouzman), have
been operating as POL’s security print provider since the commencement of Payouts in 2006. The original contract
was created in June 2018 and backdated to 2015. The contract expired in July 2019. The Energy Payouts were put
through the Zunoma contract as this was seen by the Business as a continuation of a BAU service.
The direct award of the contract to Zunoma is non-compliant with the Public Contract Regulations. It is Procurement’s
view that we are unlikely to receive a challenge to this direct award.
Insafe International Ltd - In June 2018 Post Office compliantly let a contract for the supply and installation of branch
cash safes and associated equipment (timers, locks etc) for an initial five-year term with three optional twenty-four-
month extensions with a total contract value of £3.8m.
Although BAU spend has been well managed at £2M, an additional £9.9M has been spent on non-BAU projects.
Current spend has reached £11.9M with a projected additional spend of £1.2M to March 2024.
This over-spend represents a significant failure to adhere to the Contract Management Framework. The risk of a
challenge arising is low and further mitigated by the plan to re-procure by October 2023.
Confidential
POL ARC Meeting-16/05/23 69 of 85
UKG100044336
UKGI00044336
Tab 11.2 Post Office Insurance ARC update
70 of 85
POST OFFICE LIMITED
AUDIT, RISK & COMPLAINCE COMMITTEE REPORT
Title: POI Risk Update Meeting Date: I 16 May 2023
. : Clare Ryder, Audit and Risk
Author: en Holloway, Director of Risk and Sponsor: Committee Chair Post Office
compliance
Insurance
Input Sought: For Discussion
Previous Governance Oversight
This paper is a regular Committee Update.
Executive Summary
1.
1.1
1.2
1.3
14
Top risks which POI are managing
Cyber security. POI’s cyber risk remains a significant concern of POI Management and
the POI Board. The POI ARC commissioned a review to look at both POI’s exposure to
cyber risks and specifically any exposure arising from POI’s reliance on POL for systems
involved in the selling of POI policies and support for the POI business in areas such as
finance, company secretarial and office-based systems. This review was discussed at a
special ARC meeting on 4 May 2023. The POI Board have formally escalated this risk
noting that there is a need for the POI Board to more fully understand the inter-
relationship between POI and POL systems and the cyber exposure that these inter-
relationships create.
Understanding risks which POL considers out of tolerance. POI is also working with
the POL ARC and the POL Risk Team to understand how relevant risks which have been
graded out of tolerance for POL are formally escalated to POI. This is particularly
important given the regulated nature of the POI business and the inter-connectivity of a
number of systems.
Risk of Recession. POI has core product lines in travel and protection, which are both
discretionary spends for customers. Concern remains that a recession may have some
impact on business volumes and profitability. Variable cost areas such as some aspects
of call centre resourcing can be throttled back if volumes fall, and Management are
continuing to monitor performance closely. There is no evidence yet in performance that
this risk is manifesting itself and overall business volumes and profitability are holding up
well. However, we note that there are likely to be further interest rate increases by the
time of the POL ARC which may further impact customer spending power.
Impact of Inflation. Inflation is already having a major impact in Insurance. Claims
costs are increasing as staff, materials (home repairs), car parts and medical expenses
are all rising. Premiums are steadily increasing in Motor and Home Insurance, and whilst
this offers some opportunity (commissions can rise too), the impact on customers and the
market is uncertain.
POL ARC Meeting-16/05/23
UKG100044336
UKG100044336
Tab 11.2 Post Office Insurance ARC update
1.5 People and organisation. The financial services job market remains buoyant, even as
the UK enters recession. POI has a number of skilled staff who will be attractive within
the market more generally and general wage rates are increasing markedly beyond those
paid by POL or POI. Individual retention activity has been undertaken and Management
and HR have a significant focus on succession planning. To date, only limited staff
turnover has been seen in POI, but there are risks that this increases over the remainder
of the calendar year.
1.6 GI pricing. The changes required by the FCA’s GI pricing initiative have been successfully
delivered by POI. Management have however retained this risk at a significant level to
reflect the overall impact on pricing within the household and motor markets, which did
not behave quite as expected at the beginning of the year, continues to evolve, and in
which there is an expectation that further market behavioural change will happen on the
anniversary of the changes. This may also offer opportunity, but the uncertainty in a
changing economic environment leads to maintaining a watching brief.
1.7. Duck Creak upgrade. Management are pleased to note that this implementation has
been completed with minimum issues to report.
2. Appointed Representative/Consumer Duty Work
2.1. The travel insurance sales process has now been redesigned and simplified to deliver a
better quality of sales, by improved literature design and eliminating process failure
points. This supports Postmasters and customers in achieving better sales outcomes
and reduces inherent process risk.
2.2 The mystery shopping process has been adapted to mirror the new sales process. The
shops conducted in October and November have been back tested using the new
process and show that c.80% of sales would be compliant based on process
improvement and before the addition of further enhancement initiatives.
2.3. POI Product and Compliance are working collaboratively on a series of sales quality
initiatives to further enhance the effectiveness of feedback loops into the retail
network, contributing to further enhancement of sales quality.
2.4 Whilst POI highlights the need to improve process, the back-testing conducted
highlights that customers were for the most part given leaflets highlighting limits and
exclusions. Mystery shops have been marked down where specific pages have not
been highlighted. The design of the product means that key medical cover limits are
unlikely to ever be breached and there are no declines across our book based on
branch non-disclosure. Conduct data also does not highlight material issues via
complaints, declined claims or other data. Sales quality needs to improve, but POI is
satisfied on the back of our analysis that there is no material mis-selling risk.
2.5 The improvements from the process are currently being implemented and we expect to
see mystery shopping results improve from June/July 2023 onwards. We will update
The Committee on our progress.
POL ARC Meeting-16/05/23 71 of 85
‘Tab 11.2 Post Office Insurance ARC update
72 0f 85
UKGI00044336
UKG100044336
Appendix - Risks with Residual Grades of 9 or over
‘Name Owner Deseriotion : Commentary.
Seoe/Movemert
arozementon review eheve nate kf eyberatck enabs Meh FO andPOLhaveunderaten peetaen
ersuyatsccty leanne I RRHSMY fF esse ta scomomiad hate ts. dy [teneonersctne ean ven inet nes. However gent exerts ety ere
(erro seats Je tay resign msucdensngrepaaton sesh cana DE ar meson cocmersbarenn cometrico deve whiners ee
eecotin cratered ot. Margemer.belee at such anata couse vey ave
Ine curt hghvlt eaten stg aes canes
(cea ome) whateva ones / ems
Tw menn conan wince, Insiton ts ston nist has beenspa torte ewsonts ls ace manages sks ion Wehrle. FOI
seasnan teva lemmas _etsintae ean ret nd rere cir gre 10 Ieguaryevng crs and veges and woting whey peo mange on. Inara re
teuasen anc mace the pest pacts plc epealy twen) ks dates wivothepsser wht os wa consent rpc he tab esires and
Proeton i he rancatncretormare mateo:
ane ertaneta phase eter, wera case eh
sentence innc sth woh aor
[Seago ae a ie bak Cock ae area
etcect pecs leanne [reat ror dev ie Dek Cesk nde bas cm to Gea [Reeser hens avert pom inpconaurbere pde ot sg wel athe creer
iad adept eve eetotndg > Inortonsurasty ace, However Fars goodie encase cera
teak ceased ire tes Ps yo farstaeinevapenttnaoeste tae MOtemstrvunaet'ranron, Nesare nares
Prewtemstotre Joie [sed seve croak Goak ptr poy hat es 29 SD I imine crc eek te chad Mareen et on an
oadovere
fe ukisrow nah weinaeastanard ie yeti ezsin bay ohoese a rear Tard mUied
easimayprane [snanran [E20 Steranton/ecesion mace sie andmatesce and sn. Ge fossrertn tan mar pc ale oto ey tance
° propensity to cance, of recessionary impacts noted within eur business plans and Management cosely menitor business performance to
dena te mpfr es tas
Imomawe Iman Ipovaura an amy wang own ao sucapaion F Gas Jeo eae ae how PO ess he aay aa witn de Banh ne, Ths se nAIRSTe
“ " Heaney tone - Ieererssernmanaaio eee
Te mac gana when ee FARE wag Ego pos cera ee tng eared eT CAV pcre ale Granfowee emahrer ee
circamereeauremens Ie Meconas Ie, Pols eacyerasmeewestouzone Asvcaseqaneet I 9 <= [eesererenersaces tenes. Saga erd ser povzes vert preng = veg atl ae
arate aver onts vey pan enputasiny rt wmoweenths rok ats stoge oneview ent snes ates
INerssenere sierra beng reat whateva goad, Ata sapeFowseT = VE
rs notsuxcureconecy noe ottave pepe oh et
(People and organisation [Ed Dutton a von panel
(dre the rghe tangsn terrae
“=
lserverytewFo! ewes. Risks howeverrman nab gen hats py es atten agree nee bas
seme or 2522/23 remains opasve
POL ARC Meeting-16/05/23,
UKG100044336
UKGI00044336
Tab 11.3 Payment Practices Reporting Compliance
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
sahee Payment Practices Reporting - .
Title: Compliance Meeting Date: I 16 May 2023
Author: Tom Lee, Financial Controller Sponsor: Alisdair Cameron, Group Chief
Finance Officer
Input Sought: Noting
The ARC is asked to note Post Office’s compliance with Payment Practices Reporting
requirements for the financial year ended 26 March 2023 (“FY22/23”).
Previous Governance Oversight
« Risk & Compliance Committee (RCC) 9" May 2023
Executive Summary
Post Office Limited (“POL”) has a statutory duty to file Payment Practices Reporting with
Government on a bi-annual basis. Post Office Management Services Limited (“POI”) and
Payzone Bill Payments Limited (“PZ”) fall outside the scope due to their size. POI was
required to report until end of FY20/21, after which point the decline in company revenues
removed the requirement. Reports are still produced for POI but are retained internally. The
reporting includes payment policies, practices and performance. No changes have been made
to the filing requirements in year.
POL has filed Payment Practices Reporting as required for the past five financial years
(FY18/19 to date) for the entities in scope. POL has controls in place within the Financial
Reporting Controls Framework to ensure timely and accurate reporting. The reporting is also
shared with the Group CFO for POL and the FD for POI to review and approve before filing or
reporting internally. This report focuses on POL as the only reportable entity.
Payment performance has been consistently strong within POL. Paid to time rates averaged in
excess of 90% for FY18/19 and FY19/20 with a slight drop to 85% in FY20/21 due to the
introduction of a new procurement system, Web3. Following the bedding in of the new
system the average paid to time rate increased to 95% in FY21/22.
In FY22/23 the average paid to time rate was 93%, showing a slight drop on the prior year
but remaining very strong. The primary drivers in late payments were late good receipting by
the business, accounting for c. 50% of those paid late, issues with Purchase Orders (setup,
errors and replacements and delays in invoices being submitted to the Accounts Payable team
(by the business) thus impacting payments. Additional training has recently been rolled out to
the business by the payment and procurement teams to remind colleagues of the importance
of goods receipting and how to accurately do it in Web3, to prevent further reductions in
performance.
Internal audit (“IA”) completed a review over the process in Q4 FY21/22. The result was
positive, with the findings being minor. Amendments, including some efficiencies and
enhancements to the reporting process were made in FY22/23 as a result of the IA review.
Confidential
POL ARC Meeting-16/05/23 73 of 85
UKG100044336
UKG100044336
Tab 11.3 Payment Practices Reporting Compliance
Questions addressed
What are Payment Practices Reporting requirements?
Has Post Office Limited Group been compliant?
What have the payment performance trends been to date?
What processes are in place to ensure compliance?
AWNE
Report
Overview of payment practices reporting
1. Payment Practices Reporting (“PPR”) is a statutory duty for companies, which exceed the
size criteria as outlined in para 2, to publish information about their payment policies,
practices and performance in relation to qualifying contracts for each reporting period in
the financial year.
2. Companies are in scope for the financial year if on their last two balance sheet dates they
exceed at least two of the following thresholds:
i. £36 million turnover
ii. £18 million balance sheet total
iii. 250 employees
POL has been in scope for PPR for the last four financial years.
POI was in scope until end of FY20/21 when it dropped out due to a downturn in revenue.
5. PPR must be filed twice a year (April and October), with each report covering the previous
6 months.
fw
Compliance to date
6. Post Office has filed PPR reporting since the rules came into place for financial years ending
on and after 6 April 2017.
7. The payment performance statistics which have been reported to date are shown in
Appendix 1. The table represents the percentage of invoices which have been paid within
30 days, 31 to 60 days or over 61 days for financial years.
8. The reporting includes policies and practices such as (i) standard payment terms (ii)
changes to terms made in the reporting period (iii) dispute resolution processes. Appendix
2 shows a template of all of the required reporting information.
9. The reporting rules allow for different payment terms (i.e. more than 30 days) for different
types of contract. However, Post Office primarily has standard 30-day terms across
suppliers and therefore reports on this basis as standard.
10. Post Office has not received any Government correspondence in response to any PPR
submitted to date.
Reporting trends
11. As shown in Appendix 1, the proportion of invoices paid within 30 days is consistently high
during FY18/19 and FY19/20 for POL, remaining in excess of 90%.
12. In FY20/21, on time reporting declined due to the impact of migrating to a new
procurement system, Web3, with a move towards 3-way matching driving much of the
decline as the business got used to goods receipting.
13. In FY21/22 the payment performance increased to 95% and it has remained high in
FY22/23 at 93%.
Confidential
74 of 85 POL ARC Meeting-16/05/23
UKG100044336
UKG100044336
Tab 11.3 Payment Practices Reporting Compliance
14. Where payments have not been made within 30 days, the majority of the remaining
payments are made within the following 30 days i.e. within 60 days.
15. Post Office has identified the main reasons for late payments as (i) late goods receipting,
(ii) issues with purchase orders, including setup, errors and replacements, and (iii)
invoices being shared with POL stakeholders instead of Accounts Payable and only being
shared with Accounts Payable for processing once they are already overdue i.e. due
process not being followed. In some cases invoices are also held back purposefully whilst
negotiations are ongoing with suppliers, which impact the statistics also.
16. One of the IA findings in FY21/22 was that POL should determine a target level by which
performance can be measured. Given the performance has been consistently high, this
has not been a priority. However, the voluntary prompt payment code has a target of 95%
within 60 days which POL has consistently achieved against and sets a good marker to
continue to compare with.
Processes in place to ensure accurate reporting
17. Post Office has controls in place within the Financial Reporting Controls Framework to
ensure that it is compliant with the PPR rules and files accurate information on a timely
basis:
a. Bi-annual control whereby the Accounts Payable team prepare the PPR before the
required deadlines. The reporting is reviewed by an Accountant outside of the
Accounts Payable team to ensure independent assurance has been provided over the
accuracy of the reporting.
b. Bi-annual review of Post Office Group entities against the scope criteria in section 2
to ensure Post Office is filing PPR for all required entities.
18. The final report is shared with the Group CFO for POL and the FD for POI Limited to review
and approve before filing (where required). The email accompanying the report includes
details of key trends in the period, as well as any changes to policies where applicable.
Confidential
POL ARC Meeting-16/05/23 75 of 85
Tab 11.3 Payment Practices Reporting Compliance
UKG100044336
UKGI00044336
76 of 85
Appendix 1
FY18/19 Fy19/20 FY20/24
1-30 days over
314-days over
Appendix 2
Start Date of reporting period
Day 2th [per Govt notification I
Month [Sept
Year 222]
End date of reporting period
Day 26th
Month =I March.
Year 2023
Payment Statistics
‘Average time to pay in days]
A) % of invoices paid between day 1 and 30 {inclusive} 33%
B} % of invoices paid between day 31 and 60 (inclusive) 3%
Cj % of invoices paid on or after day 61 35
% of payments due In reporting period which have not been paid within agreed period
Payment Terms and Qualifying contracts
Enter you standard payment period in days 30 standard terms
EE
Describe your standard payment terms [Payment terms range from immediate payment to 80 days
Was there any changes in payment terms in reporting period [No
Enter the maximum contractual payment period [Maximum contracted payment term Is 30 days or less
Dispute resolution process
Does your business offer e involcing [No
invoice document management No
Does your business offer supply chain finance options
Can your business deduct sums from payments as a charge for being on the supplier list
No
Has your business deducted sums from payments as a charge for remaining on supptier list
No
is your business @ member of a code of conduct or standards on payment practises
No
Confidential
POL ARC Meeting-16/05/23
UKGI00044336
UKG100044336
Tab 11.4 Strategic Partner Risk & Failure Monitoring Paper & Dashboard
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
Title: Strategic Partner Risk Update Meeting Date: I 16'" May 2023
. Abigail McGeever, Strategic . Martin Roberts, Group Chief Retail
Author: Partnerships Business Manager Sponsor: Officer
Input Sought: Noting
The Committee is asked to note the Strategic Partner Q1 financial risk and stability update as per
the agreed review process.
Previous Governance Oversight
Noted and submitted to RCC reading room on 9'" May 2023
Executive Summary
1.
The partner risk and stability tracker measures risk within the Strategic Partner estate,
the development of this risk and stability tracking process will ensure we are
measuring the management of risk across our partnerships with a consistent, factual
and informed approach, enabling us to highlight areas of concern whilst standardising
the approach we will take in such instances of risk identified.
. The development of this process has moved to include the risks associated with both
financial and non-financial concerns which include trading behaviours, partnership
engagement, management structure and prioritisation of the Post Office as a partner to
enable both a qualitative and quantitative assessment of risk.
. Information provided within this deck is formulated using our relationship with
Experian, Commercial Finance and other credible analyst sources (including IGD and
ACS) as necessary, along with insight from our SP account management team, in
providing reassurance to the business.
. In monitoring these elements of our largest partners, we are able to identify the
possible risks associated with critical service locations or multiple branch closures. In
doing so, we are able to work with network teams to create mitigation plans or rescue
packages to reduce high levels of risk to the network access criteria.
. The monitoring of the partners risk status will be managed monthly by the SP and
Commercial Finance Team, formal tracking to RCC will be provided quarterly in
accordance with the POL financial calendar with overall summary and full report in the
reading room. Any partners identifying a new significant risk will be flagged to relevant
GE members with mitigation plans and where necessary, a summary brought to RCC in
the month following their status change to ensure a high level of awareness and
management.
Confidential
POL ARC Meeting-16/05/23
77 of 85
UKG100044336
UKG100044336
Tab 11.4 Strategic Partner Risk & Failure Monitoring Paper & Dashboard
Report Headlines (As of May 2023 Report)
6. The report shows the financial status of partners with an overlay of a management
assessment that takes account of both qualitative and quantitative information
available to us from credible sources such as trade press and analysts and also the
insights drawn from partners themselves.
7. McColls (Morrisons Ltd) remains highlighted with significant risk as ‘red’ rated. This is
now documented as Morrisons in the report following the transfer as of November
2022.
8. As previously highlighted 28 sites were identified by the CMA as having competition
concerns (20 having PO Branches), Morrisons will sell these stores with the PO included
as a mandatory requirement. The sale of these stores is planned to be concluded by
17th May 2023, transfers of the Post Office to new retailers for the 20 locations are in
process and are planned to complete by end of Q1.
9. POL has worked closely with Morrisons to support the introduction of a new structure
which provides greater on the ground support and knowledge for the branches. This
has included a series of training workshops which are now being supported further with
on the ground tools to ensure the learnings are embedded into the new structure as
standard business ways of working. This will be monitored closely in the coming
months but has shown great initial results in performance improvement.
10.The former McColl's business is now being operated by Alliance Property Holdings Ltd, a
subsidiary of Morrisons. The existing contractual agreement will continue to apply (albeit
it will now operate between APH & POL) while we continue to work through the shared
purpose of agreeing a new longer term supply agreement. This is in final stages of
agreement with the new framework on track to be in place in the coming weeks. We
have assessed the risks and are managing these currently with the view that the risk
status will move to ‘amber’ by end-May once the new framework agreement is in place.
11.One Stop has previously been highlighted as ‘amber’ risk but moves to ‘red’ risk status
whilst we continue to work through options to review the profitability of 64 branches of
the estate. There remains a risk that a small proportion of stores may be requested to
close based on profitability however at present we are working closely with the partner
to find solutions either via alternative formats or introducing further product
propositions via the mail’s strategy. Confidence is high that a solution will be found for
most stores however some risk remains that there could be a small number of closures
required. Any agreed closures would be subject to normal terms and notice periods.
12.CJ Lang has been added as a ‘red’ risk status due to some concern raised about
profitability of a small number of their estate. The new Sales Director has completed a
review of the business which has identified some profitability concerns and a small
number of branches at potential risk of closure. We are working closely with the
partner to look at alternative propositions such as D&C to mitigate potential closure
risk and will provide further updates should any risk materialise.
Confidential
78 of 85 POL ARC Meeting-16/05/23
UKG100044336
UKGI00044336
Tab 11.4 Strategic Partner Risk & Failure Monitoring Paper & Dashboard
POST
FIG
13.Midcounties Co-op has previously been highlighted as ‘amber’ risk but moves to
‘green’. The risks previously identified had been based on financial assessment. Based
on the latest reports available the financial position has shown positive improvement.
In addition, Mid Counties have signed up to the 3 year framework agreement and
invested in new stores formats through the D&C proposition demonstrating their long
term commitment to working with POL and providing POL with a reduction in risk to
network numbers. Given this improvement, we have assessed risks are limited at this
stage and we will continue to monitor as part of the normal monthly cycle.
Further Update
14. Update provided to ARC following RCC.
Confidential
POL ARC Meeting-16/05/23 79 of 85
UKG100044336
UKG100044336
Tab 11.5 Committee Forward Plan
‘Audit Rsk & Compliance Comittee Forward on January 2023 - March 2028
ee 8 —— 2 SS ES :
aint emer I atm I Stay I van I serene I seenaeny I ayers I ayn/oe seranaene I sensors tae
STANDING 11245 FOR NOTING (MO PRESENTATION)
80 of 85 POL ARC Meeting-16/05/23,
UKG100044336
UKG100044336
Tab 11.5 Committee Forward Plan
i eaeecee ae liste I Sree I epee oie hamden I mcies [svete I wanes PamosI wae ee
ST TES NORTE A I VRE TN ST
ontener eall S &
Jumuangrrieenngrtcns —ournicarciat famine gn ve
POL ARC Meeting-16/05/23, 81 of 85
UKG100044336
UKG100044336
Tab 11.5 Committee Forward Plan
en nin tage orm I Antois I Semen, I yas I aananas I seesanas I svesrana I aynrans I anjsyasa I aaouanne I aen/sone nee
bicep reer gue rne - fea nv
82 of 85 POL ARC Meeting-16/05/23,
UKG100044336
UKG100044336
Tab 11.5 Committee Forward Plan
en nin tage nner nee
lsat ct upantin tegy Ie tt se Ps
[trsetnatowies Paty Renton fewecetaase lore [ss om) “ [ser
POL ARC Meeting-16/05/23, 83 of 85
Tab 11.5 Committee Forward Plan
84 of 85
UKG100044336
UKG100044336
Hl
i
POL ARC Meeting-16/05/23,
Tab 11.5 Committee Forward Plan
UKGI00044336
UKG100044336
jiticrm noarsation rosea
POL ARC Meeting-16/05/23,
85 of 85