WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
Witness Name: Donald Brydon
Statement No: WITN10320100
Dated: 11 November 2024
POST OFFICE HORIZON IT INQUIRY
FIRST WITNESS STATEMENT OF SIR DONALD HOOD BRYDON
I, SIR DONALD HOOD BRYDON, will say as follows:
INTRODUCTION
1. I was Chair of Royal Mail Holdings plc ("RMH") from 27 January 2009 to 10
September 2013 and Chair of Royal Mail Group Limited ("RMG") between 27
January 2009 and 31 August 20151. I then became acting Chair of the RMG's
100% subsidiary, Post Office Limited ("POL") from 1 May 2009 until 22
September 2011.
2. This witness statement is made to assist the Post Office Horizon IT Inquiry (the
"Inquiry") with the matters set out in the Rule 9 Request dated 7 August 2024
(the "Request"). The Request asks me to comment upon events that now took
place over a decade ago. Due to the significant amount of time that has now
I Irefer to RMH and RMG collectively throughout my statement as ‘Royal Mail’. The terms ‘the Group’ and 'Royal Mail Group’ are used
to denote RMH, RMG and POL collectively.
Page 1 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
passed, and the many senior roles I have undertaken since, it has on occasion,
been challenging for me recall certain information. During my time as Chair of
Royal Mail, I recall that I was in the habit of keeping a day book(s) in which I
made notes at meetings to serve as aides memoire. I am no longer in
possession of these books and therefore have constructed my answers from
memory. I should also note that since my departure from Royal Mail and POL,
I have read extensive press coverage in relation to the issues covered by the
Inquiry. This has made it difficult for me distinguish definitively between
information I knew at the time and information I have learnt since my departure.
Regardless of this, I have provided responses to the best of my ability.
3. I have been provided with some documentation by the Inquiry which has aided
my memory. I have also asked the Inquiry for copies of a limited number of
documents, some of which have been provided to me. However, I understand
that some documents are no longer available. If further documentation
becomes available to the Inquiry, I would be grateful for the opportunity to
review this material and update my statement where necessary. I also wish to
add that if the Inquiry would like me to comment upon any specific subjects,
documents or events not covered by my statement that relate to my role at
Royal Mail or POL, then I would be happy to do so.
4. I have structured this statement into nine sections. In the first section, I provide
the relevant background, including my career and appointment as Chair to the
boards of Royal Mail and POL. In section two, I describe the corporate structure
of the Group during my tenure. In section three I discuss my role as Chair, the
role of the board and executive management of Royal Mail and POL. I further
address specific questions within the Rule 9 request in respect of the allocation
Page 2 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
of responsibilities. In section four, I explain my knowledge of the Horizon IT
system during my tenure at Royal Mail and POL. In the fifth section, I comment
upon the audits and reviews of the Horizon IT system and selected documents
that have been provided to me by the Inquiry. In section six, I discuss the
separation of POL and Royal Mail. In section seven, I comment upon
documents which have been provided to me by the Inquiry relating to
complaints by SPMs. In section eight, the final section, I offer some thoughts
and reflections. I am grateful for the opportunity to reflect on my involvement in
Royal Mail and POL.
5. Having reflected on the events with the benefit of hindsight and the scrutiny of
the Inquiry to date, it is clear that matters were not as transparent as they should
have been. I wish to assist the Inquiry in every way possible and support the
work being undertaken to identify the failures that took place which led to these
tragic events and prevent any sort of recurrence in the future. I wish to extend
my sincere sympathy to those whose lives have been affected by these events,
both SPMs and their families.
SECTION 1: BACKGROUND
6. I have a BSc in Mathematical Science from the University of Edinburgh
(1966). Prior to joining Royal Mail, I had a career in asset management
culminating in leading BZW Investment Management and AXA Investment
Managers. In due course, I became Chairman of Amersham plc, TNS plc,
Smiths Group plc, London Metal Exchange Ltd, The Sage Group plc, and
London Stock Exchange Group plc, in some instances after serving as a
Page 3 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
director. I was also the Senior Independent Director of Scottish Power plc and
Allied Domecq plc.
7. In 2008, I was approached by Zygos (Search Consultants) and asked if I wished
to apply for the role of Chair of RMG. After discussion, I allowed my name to go
forward. I was interviewed by Zygos, (now Sir) Stephen Lovegrove (SHEX),
Adam Crozier (CEO RMG), Richard Handover (Non-executive director RMG),
and Lord Mandelson (SoS, BERR) and Geoffrey Norris (BERR), in addition to
many other meetings”. These meetings focused on Royal Mail as a whole.
8. I joined the board of RMG on 27 January 2009 and chaired my first meeting
approximately four weeks later. I left RMG over six years later on 31 August
2015. At the time I joined, RMG was a wholly owned subsidiary of RMH. RMH
was owned by the UK Government and was the ultimate parent company for
the Group. I was appointed Chair of the board of RMH from 27 January 2009 to
10 September 2013. I cannot now recall the precise distinction of
responsibilities and roles between RMH and RMG. I have been provided by the
Inquiry with some minutes for RMH board meetings and can see that it was this
entity which carried out the substantive work. Should minutes of the RMG board
meetings become available subsequently, I would welcome the opportunity to
review these minutes and provide further comments if of assistance to the
Inquiry.
9. As part of my role at Royal Mail, I became acting Chair of its 100%-owned
subsidiary, POL. I continued in this role as Chair of the POL board from 1 May
? SHEX is the acronym for The Shareholder Executive; BERR is the acronym for the Department of Business, Energy and Regulatory
Reform; and SoS stands for Secretary of State.
Page 4 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
2009 until 22 September 2011. Initially, this board mainly performed statutory
functions, otherwise functioning more like an internal committee of the Group.
It had no independent directors, but as the separation of POL from RMG
became more certain, I led it to act more like an independent board in
preparation for the separation. Its membership evolved in order that it was ready
to become a stand-alone board with an appropriate diversity of skills and
background after separation.
10.During my time in these roles, the Royal Mail Group was enormously
strategically challenged. Falling volumes of mail and the rise of digital
communications, increasing competition (encouraged by the regulator), a
massive pension fund deficit, restrictions on pricing freedoms, the demands of
the Universal Service Obligation, a heavily unionised workforce, the outsourcing
of much of the intellectual property of its core technology and the challenges of
dealing with government provided a very full agenda for any board. In addition,
POL was trying to maintain a physical estate in this digitising
world. Government needed positive outcomes.
1
.I have been asked to set out other jobs, roles or directorships I held whilst I was
engaged with Royal Mail and POL. During my time with both businesses, I held
various non-executive positions. I have provided further details of these
positions below.
a. I was Chairman of the London Metal Exchange between 11 September 2003
and 20 April 2010. I ceased this role shortly after my appointment as Chair
of the Royal Mail and POL;
Page 5 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
b. I was a non-executive director of AXA Investment Managers SA and AXA
Real Estate Investment Managers (both wholly owned subsidiaries of AXA
SA) from 2009 until 2010 and 2012 respectively;
c. I was Chairman of Smiths Group plc between 19 April 2004 and 19
November 2013;
d. I was Chairman of the Sage Group plc between 6 July 2012 and 30
September 2021;
e. I was director and subsequently, Chairman, of the Science Museum
Foundation between 25 July 2012 and 1 January 2021. This was a not-for-
profit activity;
f. I was Chairman of Chance to Shine Foundation Ltd between 4 September
2014 and 4 September 2023. This was a charity providing opportunity to
children through participation in cricket;
g. I was Chairman of Lifesight Limited between 5 January 2015 and 30 June
2017. This was a pensions' MasterTrust sponsored by Towers Watson;
h. I was appointed by the Secretary of State (BEIS®) in the UK Government as
the Chairman of the Medical Research Council on 1 October 2012 and held
this role until 31 March 2018; and
i. I was Chairman of the London Stock Exchange between 19 June 2015 and
1 May 2019. I began this role as my tenure at RMG was coming to an end.
12.All of the companies I worked for were aware of the other roles I held. I did not
work on set days, other than on formal occasions such as board or committee
meetings, for each company as it was impractical to do so. Instead, my time
commitment for each company varied depending upon the particular business
needs of each company at any given time. I ensured I dedicated sufficient time
* BEIS is the acronym for Department of Business, Energy and Industrial Strategy.
Page 6 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
to all of the roles that I held, including my role at RMH, RMG and POL. Had I
thought at any point that I needed to dedicate more time or attention to any role,
or that it was desirable to have more support I would have made that plain and
adjustments could and would have been made accordingly.
13.1 recall that there was a period of time of around 3 months when I was Chair of
Royal Mail following Adam Crozier's resignation as CEO in April 2010, and prior
to Dame Moya Greene's appointment in July 2010, where I took a greater
interest in the affairs of the company than usual in order to support the business
during this intervening phase.
14. In all of the major roles I held, I was subject to performance reviews in which I
was consistently positively rated*. These served as independent confirmation
of my subjective assessment of the needs of each role and my ability to meet
their combined demands. Throughout my long career I have held multiple non-
executive roles at different companies. I believe that the knowledge and
experience I have gained of different industries and businesses has been
invaluable to the boards of all the companies with which I have worked.
15.In providing this statement I have reflected on the roles I held at the time I was
involved with Royal Mail and POL. Even if I had had fewer roles or the demands
of them been less I would not have conducted myself any differently, seen more
information or had reason to ask more questions; I would have given the same
amount of time to Royal Mail and POL and done the same at the time. As set
“ These are conducted annually for the year before by a senior independent director and in line with a formal structured process. The
results are fed back to me and can provide learning and development points if appropriate.
Page 7 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
out herein there were other obstacles in the way of the board(s) or me being
made aware of the real problem and its implications.
16.Since leaving Royal Mail in 2015, I completed almost 10 years at The Sage
Group plc and took the chair at three (now two) venture backed businesses, the
most notable of which is Tide Holdings. I also joined the board of Hanover
Investors. I completed almost 10 years as Chair of Chance to Shine. In 2018/19
I led the Independent Review into the Quality and Effectiveness of Audit for
HMG.
17.1 should note that around July 2012, I underwent a significant medical operation.
At that time, I was Chair of Royal Mail, and for a period of approximately 8 — 10
weeks I had reduced involvement whilst I recovered successfully from this major
procedure. Royal Mail was aware of this procedure and arrangements were put
in place so that there was no adverse effect to the business.
SECTION 2: CORPORATE STRUCTURE
18.When I joined Royal Mail in January 2009, RMH was the parent company. The
UK Government wholly owned RMH. RMG was in turn a wholly owned
subsidiary of RMH. POL was a wholly owned subsidiary of RMG.
19.On 1 April 2012, POL was separated, and ownership of POL was transferred
from RMG to RMH. The UK Government continued to own RMH. I remained on
the board of RMH, I believe along with Alice Perkins (Chair of POL), in order to
provide a forum in which to settle any potential disputes between RMG and POL
(but I could be wrong). I resigned from RMH on the 10 September 2013. RMH
Page 8 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
was then renamed Postal Services Holding Company Limited (on 11
September 2013). Following the separation of POL and RMG in April 2012, POL
was a subsidiary of RMH, however, in practice its CEO reported straight to
SHEX.
20.On 6 September 2013 I was appointed Chair of Royal Mail plc. On 12
September 2013, RMH transferred its shares in RMG to Royal Mail plc. Royal
Mail pic's shares were listed on the LSE on 11 October 2013.
SECTION 3: ROLE AND RESPONSIBILITIES
Role as Chairman
21.As non-executive director (‘NED’) and Chair of the boards for RMH and RUG
my role involved the following: constructing the board to ensure it had the
appropriate range and diversity of skills, ensuring that the board was effective,
establishing the agenda for meetings, taking input from executive and non-
executive directors, keeping directors informed between meetings (through
phone calls, emails and meetings), ensuring the board’s performance was
measured, ensuring that non-executive directors had the opportunity to meet
without my presence to discuss my performance, providing guidance, support
and challenge to the executive directors, leading discussions to endorse
strategic direction, ensuring the appropriate oversight was in place either at the
board or through its committees, considering succession planning, leading the
board to establish the company’s risk appetite and that only those risks the
company wanted to take were being taken whilst mitigating unwanted risks,
setting goals, monitoring and challenging performance, representing the board
to the shareholder, and representing the company when appropriate to other
Page 9 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
stakeholders. This list is not exhaustive. In carrying out this role I visited sorting
offices, mail centres, post offices, other departments and subsidiaries, for
examples, GLS in Germany. Exceptionally, I also initiated a review by a senior
retired Judge of the issues arising from postmen and women being attacked by
dogs and led the efforts to establish a Postal Museum & Archive.
22.1 also led the recruitment process for the new CEO of Royal Mail in 2010. I
successfully recommended Moya Greene (now Dame) for appointment to the
new Government in May 2010 in which role she effectively fulfilled a challenging
brief.
23.As previously mentioned within paragraph 9, when I joined Royal Mail, in my
opinion, the POL board was not well developed. Its construct recognised that
its MD reported to the Royal Mail CEO. As noted above, the board initially was
therefore more like an internal committee. I became NED and acting Chairman
(I believe the position was never formalised by BEIS) of POL approximately 3
months after taking up the Royal Mail role. Whilst there were discussions of
operational matters at the start, these were more by way of information sharing
than formal reporting. I saw my role as to formalise the board and, in
anticipation of the separation that was to come, to start to build the processes
that would ensure that a functioning board could be passed on to my successor.
I arranged the appointment of the first independent NED (others were non-
executive in POL but were not independent by virtue of holding executive
positions in RM). POL outsourced its audit and risk oversight to the RMH Audit
& Risk Committee ("ARC"). The role therefore did not have the same formality
as the Royal Mail role, although as the board evolved, the strategic and
oversight roles grew.
Page 10 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
24.1 did not hold an executive position at RMH, RMG or POL.
25.Royal Mail endeavoured to follow the practices of public companies and acted
in the spirit of the Combined Code issued by the FRC. I chaired the board of
RMH as I did the boards of public companies; the major difference was having
only one shareholder. With regard to the shareholder, HMG, I saw my role as
ensuring the board was aware of the shareholder's views on major issues and
that reciprocally the shareholder understood the views of the board. In the case
of Royal Mail there were major issues of potential changes in ownership and
funding which necessitated a clear understanding in both directions. However,
there were multiple routes of communication between executives of Royal Mail
and POL and other senior members of SHEX.
Role of the Board & Responsibilities
26.The role of the Royal Mail board was to set the tone and culture, test and
challenge strategic decisions, monitor performance and satisfy itself, through
the ARC, that an effective framework of systems and controls was in place
defining authority and accountability and promoting success whilst permitting
the management of risk to appropriate levels. During my tenure on the POL
board, I endeavoured to develop the same roles for the POL board as for the
Royal Mail board. It was the role of the executive management to provide
information to both boards which allowed them to exercise properly their roles.
5 Post separation POL no longer relied on RMH ARC
Page 11 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
27.Within the Request I am asked where responsibility lay for “(a) monitoring the
Horizon IT system and (b) criminal prosecutions and civil proceedings arising
from alleged shortfalls in branch accounts based on Horizon data’.
Responsibility for (a) lay with the executive management of POL, being a
system uniquely operating within POL. This distinction became even more
defined after separation. In the event members of the executive management
found any significant issues with the system it was their responsibility to report
these through the CEO or CFO to the ARC and the POL board. If any executives
felt as though reporting lines had been comprised and that important information
was not making its way appropriately ‘up the chain’ to senior management or
the board, then there were whistleblowing processes in place to circumvent
original reporting routes to communicate directly any issues. Responsibility for
(b) lay with the legal function within the executive management of RMG prior to
POL separation, and within POL thereafter. Again, if executive management
had found any significant issues, it would have been expected that the executive
would bring such issues to the board. To this end, I do recall that the issues in
respect of (a) and (b) above were discussed at various POL board meetings
and that reassurances as to the integrity and safety of the prosecutions and
Horizon system were provided on multiple occasions, please see paragraphs
38, 39, 59, 60, 71, & 86 — 89.
28.The Inquiry has asked questions about the RMG board's role in oversight of a
number of matters (criminal prosecutions brought in the name of the company,
civil litigation brought by or against the company, the company’s IT, and
compliance with the Race Relations Act 1978/Equality Act 2010). Subject to
materiality and apart from IT, I would have expected the Royal Mail board to be
informed of any significant failings in these areas by the Company Secretary
Page 12 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
(Jonathan Evans or John Millidge) and/or CEO (Adam Crozier or Dame Moya
Greene) through regular reporting lines, if they were aware of the failings.
29.For IT, reporting to the Royal Mail board came through the CEO or the Group
CTO.
30.The Inquiry also asks about RMG's board “oversight of any accounting system
used to collate individual transactions cash and stock declarations etc. used for
the purpose of preparing management and statutory accounts”. Oversight of
these systems was performed by the ARC. Here the ARC received reports from
both Internal Audits and the statutory auditor, Ernst & Young ("EY"), it was then
the ARC's duty to consider these reports and monitor the implementation of any
responses necessary, (please see section 5). The ARC reviewed those reports
on behalf of the board and reported findings to the board. As Chairman, I chose
to attend the ARC meetings when I could; however, appropriately, I was not a
member of the ARC.
3
.Responsibility for criminal prosecutions and civil proceedings arising from
alleged shortfalls in branch accounts based on Horizon data lay with the
executive management. Everyday functioning of all prosecutions and legal
proceedings lay with the legal function (part of the executive function), in the
Group prior to POL separation, and within POL's legal function
thereafter. These functions reported to the relevant Company Secretary who
then reported to the board. High level reports of legal activity which I believe
primarily focused on statistics were made to the ARC and, after separation, to
the POL board. I note that the minutes for the ARC meetings dated 20 May
2011 (RMG00000005) and 17 November 2011 (RMG00000007) both refer to
Page 13 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
papers titled 'Fines, Compensation & Material Litigation' which appear to be
updates in respect of accruals for fines, compensation and provisions. The
Inquiry has not provided me with copies of these papers®. Please also see
paragraph 39 in which I discuss minutes for the ARC meeting on 8 December
2011 whereby an update was given that mentioned challenges to Horizon
(RMG00000003).
32. In addition to this, during my tenure at POL, I recall having a conversation with
Jon Millidge, the Group's Company Secretary, who highlighted that the lawyers
within the legal function had a ‘code’ to follow which set out the principles that
they must adhere to when dealing with and making decisions upon a case. I
now understand this to be the Code for Crown Prosecutors. At the time I took it
to mean that there was another layer of checks in place on the legal function
and as such we should be cautious with our input.
Reporting Lines
33.When I joined RMG, the MD of POL, Alan Cook, sat on the RMG board along
with some other POL executives. The MD of POL's executive reporting line was
to the CEO of RMG. In addition, the MD of POL reported to the POL board
which provided an additional layer of monitoring and carried out statutory
functions.
34. The government had two teams in SHEX which interacted with the executive of
RMG, one for the Royal Mail business and one for POL. The MD (later CEO)
°I would be happy to comment upon these papers if the Inquiry wishes for me to review them.
Page 14 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
of POL, and the CEO of Royal Mail both interacted directly with SHEX officials
and Ministers. There were multiple interactions between SHEX and Royal Mail
(including POL) ranging from routine requests for information, to participation in
discussions of strategy and tactics. These interactions were not always
intermediated, even by the CEO or the Chair. Given that Royal Mail was seen
as a regulated business enterprise, whilst POL was seen more as a public
service enterprise with its future remaining in government ownership, there was
a heightened interaction between POL and SHEX/Ministers on day-to-day
matters including, for example, numbers of branches, location, and services.
35.As Chair of Royal Mail and POL whilst both businesses were government
owned, I too had interaction with SHEX. My interaction was generally confined
to board, strategic, personnel and individual or specific matters. I should note
that in the letter dated 30 September 2010 that I received from Rt Hon Vince
Cable MP who at the time was SoS for BEIS (UKGI00001328), he makes
reference to continuing arrangements to meet regularly. I have not had access
to my diary from this period of time, however, I do not recall having regular
communications with the SoS. Any communications were most likely on an ad
hoc or sporadic basis.
36. As Chair of both RMG and POL, I respected the reporting line between the
relevant CEOs/ MD and their direct reports and between the CEOs and their
board. Thus, when meeting members of his/her team of executives I would be
in the habit of (almost always) ensuring that the CEO was aware of the
interaction’. In my view, to do otherwise would confuse executives as to their
7 On the rare occasion I did not inform the CEO of a meeting I had with his/her team of executives, this would be as a result of being
asked appropriately by the executive not to do so or that I simply had forgotten.
Page 15 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
reporting line. In all companies, it is important to maintain a clear distinction
between executive and non-executive functions.
37.1 met frequently with the Group Company Secretary, Jon Millidge, in his role as
secretary to the board. Whilst I may have met them, I do not recall one-to-one
meetings with the Head of Legal in either RMG or POL. At the time, I was not
aware of the Royal Mail or POL “problem management team” referenced by the
Inquiry which seems to have been a basic IT trouble shooting function. Whilst
aware of its existence, I did not interact with “the security/ or investigation
department” on any individual matter; any issues would have been reported to
the Company Secretary, who would in turn have reported any significant issues
to me and the board. Although there were many issues at any one time, I would
have expected the Company Secretary to use his professional judgement and
to report any critical issues that were raised with him to me and the board.
38.1 was not involved in the “oversight of the investigation and prosecution of SPMs
for theft, fraud and false accounting for alleged shortfalls in branch accounts.”
I was aware that RMG/POL had the power to prosecute, and that such
prosecutions had been routine prior to my appointment and that they
continued. I do recall that questions in respect of prosecutions were raised at
some POL board meetings on seeing reports of legal activities. I believe at first
questions were raised in relation to the number of prosecutions. As stated
above, the board was told that there had always been prosecutions and the
number remained at a roughly consistent level. It was also explained that, sadly,
there had always been a few dishonest SPMs. We received assurances that
the Horizon IT system was robust. The available board minutes I have been
provided with for POL board meetings are not verbatim notes and are
Page 16 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
summaries of what was discussed. I distinctly remember the board being
informed that all prosecutions brought by POL had been successful, in
accordance with the email I received from Paula Vennells dated 29 September
2011 (POL00405910) (please see paragraphs 58 & 59). The board had no
reason to doubt the veracity of the answers.
39.1 was aware of "the recovery of alleged shortfalls in branch accounts, including
through the use of civil proceedings” against SPMs through reports made by
executives to the ARC. On 8 December 2011 in minutes for the ARC meeting
(RMG00000003), it is recorded that the committee was updated that POL had
dismissed, prosecuted and commenced civil debt recovery action against a
number of SPMs and Crown staff, following financial losses in branches. The
ARC was told that a small number of staff had defended the criminal and civil
proceedings on the basis that Horizon was faulty. At the time, although the ARC
had been made generally aware of potential issues with access controls via the
EY management letter, year ended 27 March 2011 (POL00030217), it was not
aware that this letter had any connection to challenges being made by SPMs°.
However, my recollection is that the ARC received assurances that the integrity
of the data was not compromised. It was also never informed that SPMs had in
fact raised any concerns of unauthorised manipulation of figures as part of their
defence. Finally, it did not know, as it now transpires, that SPMs had been told
remote access was not possible in the course of their legal proceedings. Had I
or the ARC been informed of this, further questions would have been raised®.
Please see section 5 for further detail.
* Please see paragraphs 72 & 90.
* have set out in more detail below in section 5, the fact that Dame Moya Greene and I met with EY who provided further reassurances
in relation to the integrity of the Horizon data
Page 17 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
40. I am asked about (a) policies, guidelines and practices followed by POL, RMH
and RMG when pursuing a civil action against an SPM, (b) the conduct of audits
of SPMs’ branch accounts, (c) practices and policies in respect of suspending
or terminating SPMs’ contracts, and (d) policies, guidelines and practices in
investigating alleged offences and bringing criminal prosecutions, including the
process of disclosing documents. These are all executive matters in which
neither I nor the board were involved. I am also asked about the extent to which
I passed on information about concerns as to the reliability of data produced by
the Horizon IT system. In this respect I possessed no information to pass on. If
there was anything that I felt I needed more information about I would have
asked for it. I am further asked about the extent to which I oversaw the
management of the distribution of information relating to the reliability of the
Horizon IT system within POL/Royal Mail. I was not involved with the
distribution or management of the information referenced.
4
. The Inquiry asks about my board leadership style. I believe my leadership style
to have been open and collegiate. I asked for transparency and sought through
informal contact to establish a sense of teamwork. For RMH, I introduced
reviews of the board’s performance first by Professor Goffee of LBS and later
by Ffion Hague of Board Excellence. I encouraged the reviewers to witness a
board meeting and committees as well to conduct unsupervised interviews with
board members. The Senior Independent Director was responsible for liaising
with the Reviewer to collate information about my performance and to
communicate the Review's conclusions to me. The involvement of an external
Reviewer was bi-annual. In the alternate years the board completed a
performance questionnaire in a process managed by the Company Secretary.
Page 18 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
From memory, I believe the open and collegiate style that I encouraged was
recognised in generous comments about my performance.
42.1 arranged dinners for the directors to enable informal discussion of issues. I
also based myself in Royal Mail's Head Office in London and, as a result, whilst
being careful not to stray into executive territory, had many informal interactions
with executives. I also had regular meetings with the Royal Mail's CEO, CFO,
and Company Secretary. I also held regular meetings with the CEO/ MD of POL.
43. Additionally, I consider that my other roles outside Royal Mail or POL assisted
me in my performance of my role. I witnessed similar problems to those in Royal
Mail handled in different contexts and was able to use my knowledge and
experience to assist the board when dealing with such issues.
44.1 worked with the relevant Group Company Secretary to determine the agendas
of RMG & POL board meetings. There were a number of standing items - eg
Health & Safety Report, CEO Report, Finance Director's Report - and then
specific papers to be on the agenda requested by executives (through the CEO
or at the CEO's request) or by other directors (including non-executives). For
example, it had been brought to my attention that RMG had particularly high
levels of accidents and that health and safety needed to improve. As a result, I
can recall asking that health and safety was placed at the top of the agenda
with the CEO reporting. Reports were segregated into those requiring decisions
and those for information and noting. The CEO was accountable for all reports
from executives no matter who had originated the content; this was important
to maintain the integrity of reporting lines. The board also received reports from
its sub-committees.
Page 19 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
45.1 am asked about the level of technical IT expertise of those attending board
meetings. I do not consider that any of the non-executive directors had deep
technical IT expertise but as some had run major enterprises, with embedded
IT, they were not ignorant of IT issues either. In that structure, any significant IT
issues would have been addressed by the CEO or the CTO, who would report
to the board in relation to the IT function of the business.
46.Equally, amongst the executives who attended board meetings, there were
varying levels of IT expertise dependent upon their role. However, the board
relied upon the IT specialists within the executive function to keep them
appraised of any significant IT functions/issues.
47.In considering this question, I have reflected on board composition. For all
boards of major enterprises, a range of expertise is required. A non-exhaustive
list includes regulatory, distribution, financial, experience of very large
enterprises, accounting, industrial relations, technology, government
functioning, pensions, safety, ability to chair an audit committee, remuneration,
business to business issues, business to consumer issues, strategy, and
mergers and acquisitions. In addition, the composition of the board needs to
take into consideration diversity in many forms. We tried to achieve such
diversity of skills, experience and knowledge for the RMH, RMG and POL
boards, however, it is not possible within a manageable board to have in depth
knowledge of every area.
48. It is for that reason that, from time to time, boards commission specialist reviews
and reports on particular topics. For example, in my email to Paula Vennells
Page 20 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
dated 29 September 2011 after having read the Private Eye article
(POL00405910), I suggested the commission of a specialist report to assist the
POL board.
49.The Inquiry asks about how executives reported to the board if they did not
attend a board meeting. In my experience boards vary. In a unitary board
structure, some have only the CEO representing the executive and the
business, others, more commonly have the Finance Director (or CFO) also.
Some others include other executives, for example the COO or the HR
Director.
50.As a generalisation, an executive with either relevant expertise or specific
responsibility would attend and present a paper, especially if written by them or
their team. However, for practical reasons, many papers would be presented
by the CEO or taken as read without an accompanying presentation.
51.Thus, executives reported to the board in RMG or POL either through the CEO
or directly in person. In terms of information sharing, the reporting was,
therefore, either through written communication, presentation of an oral report
or through the CEO. Accordingly, it was not always necessary for executives to
attend board meetings in order to report or share information. '°
52.The Inquiry asks whether I felt I was able to devote sufficient time to my roles
at POL / Royal Mail. I dedicated considerable time to Royal Mail Group matters
in order to fulfil my duties as Chair. The benefits of modern technology allowed
‘ The minutes only record the apologies of persons who have a duty to attend the meetings and if an absent member wished to have
an input that would generally be done by calling me before a board meeting. Feedback to an absentee reporter to the board would be
done by the CEO in appropriate cases about what had occurred in the meeting
Page 21 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
for considerable multi-tasking. I worked each day for as many hours as
necessary, frequently significantly exceeding 12 hours in a day. Given the
requirements of my role at RMG, I had my physical base in Royal Mail’s London
office. As mentioned at paragraph 14, I received highly complimentary
feedback within my performance assessments.
53.1 am asked about my understanding of a) the prosecution of SPMs for theft and
false accounting and b) the pursuit of civil litigation against SPMs to recover
alleged shortfalls in branch accounts at the time I joined the Group. Upon
joining the Group, I had no knowledge or understanding of these
matters. Indeed, on appointment I did not know such litigation was in flight.
54.1 do not recall problems with the Horizon IT system's integrity being explicitly
discussed at the Royal Mail board meetings.
55.As mentioned at paragraph 38 above, in response to any questions on the
pertinent issues, the POL board received assurances that the Horizon IT system
was robust. As to prosecutions, the board was told that there have always been
prosecutions as, it was alleged, there had always been a few ‘bad apples'
amongst the SPMs. When asking about the numbers of prosecutions, the board
was told that all prosecutions had been successful, and some had received
custodial sentences. At the time, in general, this was viewed as an affirmation
of the validity of the prosecutions"'. Hindsight in the light of what is now known
shows that the fact that there had been successful prosecutions may have had
the effect of concealing that there was something wrong with the Horizon IT
' We were also told that some people convicted had been given prison sentences. While this played no part in affirming the validity of
the prosecutions, we were aware that the consequences could be serious for those convicted
Page 22 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
system, since we assumed that the rigours of a prosecution process would
uncover any difficulties with the evidence upon which a prosecution was
based.
56. The POL board was not told that these prosecutions resulted from pressure on
SPMs to admit to false accounting in the manner now revealed. Furthermore,
we now know that some of the so-called false accounting was in relation to
SPMs putting funds into POL, not as might reasonably have been assumed,
taking funds out. I have now also seen that in some cases, it appears that SPMs
felt pressured to plead guilty to the offence of false accounting so that more
serious offences were not pursued. I doubt very much that any board member
would ever have asked if convictions were being made on such basis.
57.The POL board was told that there were no relevant problems with the Horizon
system, there was no reporting of bugs, errors or defects ("BEDs") or issues of
integrity. The reporting in Computer Weekly was not brought to the attention of
the POL board.
58.In September 2011, I read an article published by Private Eye which detailed a
class action by SPMs and raised questions about the Horizon system. As I
recall, this article was not specifically brought to my attention by anyone at POL;
habitually I purchased Private Eye for myself. I was surprised to learn of the
class action and the questions the article had raised in relation to the integrity
of Horizon. At the time I was no longer Chair of the POL board having stepped
down on 22 September 2011. Regardless, I sent an email to Paula Vennells on
the 29 September 2011 (POL00405910), copying Dame Moya Greene (CEO of
Royal Mail), Paul Murray (Chair of the ARC) and Alice Perkins (Chair of POL),
Page 23 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
stating that I was surprised by the article and its contents and raised that it may
be appropriate to have a relevant report on the issue carried out and submitted
within the POL board papers for the future. Having recently stepped down from
the POL board, I did not wish to overstep and made it clear that it was the
current Chair, Alice Perkin's, call. I also indicated that the issue should be
relevant to the ARC and asked whether an independent audit of Horizon had
ever taken place.
59. In response Paula Vennells provided assurances, keeping Dame Moya Greene,
Alice Perkins and Paul Murray in copy, that ‘each time any cases have gone to
court, POL's position has been upheld. And from memory, in at least 2 cases
fraud was proven with subsequent imprisonment.’ Ms Vennells also stated that
to avoid doubt, POL were having the old and new Horizon systems
independently verified by an external systems auditor and expected results at
the end of October 2011. At the time, I was reassured by Ms Vennell's response,
particularly her confirmation that an independent audit was in progress. As a
result of Paula's email and her position as CEO of POL, I believed that the POL
board would deal with the matter appropriately going forward. Given all that I
now know, upon reflection, Ms Vennells' statement that ‘in at least 2 cases fraud
was proven with subsequent imprisonment’ indicates that weight was given to
the outcome of prosecutions without considering that they might have been the
result of or obtained in spite of unreliable evidence. With the benefit of hindsight
this may be seen as involving confirmation bias.
60.After I left the POL board, I was also copied into an email response sent by
Paula Vennells dated 26 November 2011 (POL00378686) to Shane O'Riordain,
Director of Communications, in relation to a BBC programme covering the
Page 24 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
alleged problems with the Horizon system and some SPMs dismissals and
convictions'?. Although I do not recall seeing this email, I can see that Ms
Vennells states ‘There is continuous legal and audit work in respect of this and
it can be subject to FOI. We are confident in Horizon and we are supported by
the NFSP." Her statement indicated that appropriate reviews were being carried
out and that they were confident in the Horizon system. This was consistent
with the assurances that the POL board and the ARC were given during my
appointment as Chair.
6
.Iam asked whether I thought that the POL and Royal Mail's corporate structures
were adequate to fulfil their responsibilities or manage risks. At the time, I
believed the corporate structures of POL, RMH and RMG were fit for purpose.
However, all corporate structures depend on the people operating within them.
The appropriate lines of defence against unwanted risks were in place: Internal
Audit, the ARC, whistleblowing facility, Have your Say (an_ internal
communication channel) and defined executive responsibilities, plus
appropriately independent, external audit and independent directors.
62. In my view, the non-executive oversight was carried out properly; however, such
oversight is dependent on the veracity of the information supplied. During my
time at RMG and POL there was nothing that led me to believe I could not trust
the information I was provided with, or the people who provided it.
63. As Royal Mail progressed towards privatisation, it was clear that POL needed
to develop its own independent governance and would soon no longer be able
to rely on Royal Mail for Audit, Legal and other services. Accordingly, I stood
"At the time, I did not see this BBC programme and have not seen it since.
Page 25 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
down from the board of POL in September 2011, being succeeded by an
independent chair (Alice Perkins). Thereafter she attended various meetings of
the RMG board as Chair, until privatisation in September 2013. During that
period, I relied upon the processes that would require anything material to be
brought to the Royal Mail board for its consideration’.
64.As POL was split from RMG in April 2012, the executives of both RMG and POL
negotiated the separation of functions, and the board of POL had been adapted
in 2011 to enable it to conduct its own oversight. Royal Mail ceased to provide
outsourced legal support to POL.
65.1 am asked about HMG oversight. It is not possible for a shareholder, no matter
how powerful or substantial, to know everything that is happening in a business
it owns unless it runs the entire governance and management processes.
SHEX knew a great deal about the operations of the Group (including POL) but
could never be aware of every issue. There were almost daily interactions
between SHEX and some part of the Royal Mail Group. SHEX needed to
prioritise and, as the issues for the group were existential, it is unsurprising to
me that SHEX was not fully aware of the litigation against SPMs at a time when
the board itself was also unaware of the detail.
66.1 am asked if I consider government oversight of POL, RMG and RMH to have
been adequate.! did then and do now. Again, oversight is dependent on
information flows. As a parallel, government could not be aware of the detail of
prosecutions for theft of mail other than at an aggregate or macro level. Greater
* As set out above that was the proper functioning of the POL board and Chair.
Page 26 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
involvement by government in oversight would have risked crossing the line into
interference and a blurring of responsibilities.
67.For the future, where government is a sole owner of a business, I believe it
would be helpful that an office of government/shareholder liaison, under the
leadership of the CEO is established in each business to act as a channel for
all communication between the shareholder and the business, that considerable
efforts are made to respect this as a unique information channel’ and that
communication with the CEO (other than regarding personal matters) involve
that office. I believe this would improve efficiency of information flows and allow
for the calibration of information in a consistent manner. It would also avoid any
possibility of undermining the formal reporting lines in the business. In my
experience, confidence in communicating to SHEX officials was lessened as
the result of the same questions being asked simultaneously of several
executives. Transparency in the communication process should help this
problem.
68. There was a tendency when reporting upwards to give reassurance that any
issue was or could be resolved without difficulty. It could be described as a ‘don't
worry it's fine’ culture. It is a culture that is much more identifiable with hindsight
and it may explain why some critical matters were not raised to senior
management or beyond that to the board.
SECTION 4: KNOWLEDGE OF THE INTEGRITY OF HORIZON
* Such a channel might be supplemented by access to the Head of Internal Audit.
Page 27 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
69.As indicated, I had no knowledge of the Horizon IT system when I joined the
boards of RMH/RMG. After I joined the POL board, I became aware there was
a system used by Post Offices for accounting purposes and that its adoption
had been in response to the need to provide digitised services to HMG.
70.1 am asked the following questions: (a) whether I was aware of either BEDs in
the Horizon system, lack of integrity in the same or complaints addressing
BEDs or concerns with integrity; (b) my knowledge of the ability of Fujitsu
employees to alter transaction data or data in branch accounts without the
knowledge or consent of SPMs; (c) any training provided to me in respect of the
Horizon IT system; (d) what steps I took, if any, to increase my knowledge of
the Horizon IT system.
7
.I had no knowledge of (a). I did not understand at the time that Fujitsu
employees could alter data without knowledge or consent of SPMs. I discuss
my knowledge of (b) within paragraph 39. In addition, when access issues were
identified in the EY management letter, year ended 27 March 2011
(POL00030217), I did not have the contextual information to appreciate the
implications of "unauthorised/ inappropriate access which could lead to the
processing of unauthorised or erroneous transactions" upon the prosecution of
SPMs. At that time, in particular, I did not consider that EY's letter informed us
that Fujitsu employees had the power to alter data without the knowledge or
consent of SPMs. As far as I was aware, the issue was whether or not the
access issues identified by EY at this stage would affect the integrity of the
accounting data. On this point, I did however have a meeting with EY together
with Dame Moya Greene; my recollection of this is that we were assured that
the integrity of the data was unaffected. As previously mentioned, we were not
Page 28 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
told that some SPMs had raised as part of their defence that data had potentially
been amended without their knowledge.
72.Regarding (c) I received no training in respect of the Horizon IT system, nor of
any other of the myriad of systems used by the Group. It would not have been
relevant to my role — I was not an executive.
73.With respect to (d), I asked several questions about the robustness of the
system at board meetings and asked about a review of the system and
proposed a referral to the ARC (e-mail post Private Eye article of 29 September
2011 - POL00405910). Further, I had several meetings with Mr Thomson from
the National Federation of Sub-Postmasters in order to keep up to date with any
current issues. He did not raise any issues in respect of challenges made to the
integrity of Horizon and I had no reason to ask him. Having now seen his
evidence, I understand why he did not raise this as an issue as he believed
there was no issue with the system.
74.With reference to the file note of a meeting between Paula Vennells and Susan
Crichton dated 30 September 2013 (POL00381629), I do not recollect a
discussion with Alice Perkins that referenced an actual or potential “cover-up”.
However, it would have been consistent with my normal behaviour and track
record for me to have stressed to her the importance of full transparency. My
experience of working with Ms Perkins was that she also believed in full
transparency. I am certain that had a discussion about a cover-up taken place
I would have remembered it.
Page 29 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
75.1 believe the Ismay Report dated 2 August 2010 (POL00294837) was an
executive-led report which briefed the executive management on the issues.
The Report (to the best of my knowledge) was not presented to the POL board,
lam not on the distribution list and I do not believe I had sight of it. I expect that
executives would have relied on it as providing the basis for their answers to
the board. I do not know if it was referenced.
SECTION 5: AUDITS AND REVIEWS OF THE HORIZON IT SYSTEM
76.1 attended the ARC on 13 May 2010 (RMG00000004). I understood the
reference to the “Horizon payment system” in the forward plans of Internal Audit
(along with other POL matters) to be normal forward planning with regard to the
major activities in POL. The Horizon system was so integral to POL, it meant
that any significant issue with it of any kind, such as if there was an operational
problem and the system was to 'go down’ for a few hours, could be very serious
for POL's operations. Consequently, Horizon was always an agenda item for
Internal Audit at any ARC meeting as our reliance upon it posed a substantial
risk to the business.
77.1 have read the EY management letter, year ended 27 March 2011
(POL00030217), the minutes of the Royal Mail ARC, dated 20 May 2011
(RMG00000005), the minutes of the POL board meetings dated 27 May 2011
and 4 July 2011 (POL00021499 and POL00021500 respectively), the POL IT
update paper POLB(11)32 dated September 2011 (POL00029438),
the minutes of the POL board meeting dated 22 September 2011
(POL00030365), the minutes of the Royal Mail ARC dated 8 December 2011
Page 30 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
(RMG00000003) and the minutes of the Royal Mail ARC dated 14 December
2011 (RMG00000127) in relation to the EY audit for 2010/11.
78.During the relevant period, I read the EY management letter, year ended 27
March 2011 (POL00030217), I did not however have sight of the briefing note
dated 28 April 2011 on audit findings which appears to have been produced for
Paula Vennells at her request (FUJ00086922). The EY management letter was
a substantial document, and it was discussed during the meetings of the POL
board and the ARC as set out below.
79.1 have been provided with minutes of the ARC meeting on 20 May 2011
(RMG00000005). Whilst I did not attend this meeting, I can see from the
minutes that Alison Duncan from EY presented at this meeting along with Mike
Young and Lesley Sewell. It was explained that the audit process "had identified
significant control weaknesses, which in Ernst & Yong’s view, reflected a need
for improvement by the outsource provided Fujitsu but also a change in
approach on the part of POL in relation to the management of the Fujitsu
contract. The approach by Fujitsu in delivering audit requirements to POL and
E&Y had resulted in an unduly lengthy, unpredictable and inefficient audit in
respect of this aspect of the IT audit... POL had established an IT Audit &
Control Board to manage contract governance going forward."
80.1 attended the POL board meeting on the 27 May 2011 (POL00021499). The
minutes state that "the board noted that the auditors had raised concerns about
the IT change management processes, access controls, the Fujitsu managed
services and POL's oversight and assurance of key activities. Lesley Sewell
had been invited to advise the Board on the steps taken to improve the
Page 31 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
controls". Whilst concerns surrounding access controls were noted in the
minutes, I agree with the following further statement that "the main issue of
concern centred around the inability to use a SAS70 standard for evidencing
that the controls are in place."
8
.I understood that SAS70 was used to evidence on the effectiveness of internal
controls and that because Fujitsu did not use this standard, it was difficult for
EY to evidence the controls in place in an efficient manner for their audit. It is
further noted in the minutes that "activity had already commenced to remedy
the issues identified by Ernst & Young, including establishing a POL IT Board.
The Board agreed that the end result should be that either SAS70 applies or a
set of controls is established that Ernst & Young are happy with".
82.At the POL board meeting on 4 July 2011 (POL00021500) Paula Vennells
provided an update. She confirmed that the "new POL IT Audit & Control Board
would pick up all the issues and actions from the SAS70 audit and that Ernst &
Young were not sitting on the Board... Les Owen emphasised that the
advantage of asking Fujitsu to comply with SAS70 audits meant that we could
rely on those reports. The Board discussed the best way to engage with Fujitsu.
Paula Vennells explained that she was meeting them and would raise the
issue". A detailed technology paper covering these issues was also to be
presented by Mike Young (COO) at the next POL Board meeting. I note that I
had no knowledge of the detailed working of the IT Audit & Control Board - it
was an executive committee and was not established by the board nor reported
directly to it.
Page 32 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
83.1 have been provided with a copy of the POL Board IT Audit Update dated
September 2011 signed by Mike Young (POL00029438). I believe I would have
had sight of this document at the time it was circulated. The IT Audit Update
states that EY made recommendations related to "change management
processes; access controls; the Fujitsu managed service and POL's oversight
of key control processes within Fujitsu". It was confirmed again that an Audit
Steering Group had been established to ensure audit actions were completed
and at the time this group had met three times. It was also noted that a project
team had been established to manage all activities and that they were currently
on target for completion by "the end of October". In respect of user management
and access rights to POL's systems, it was noted that "a complete review of this
area is underway and is on target for completion". Finally, the note summarises
that position as follows:
"we will have enhanced controls, governance and a reporting mechanism in
place with Fujitsu, covering the recommendations made by Ernst & Young, by
the end of October, with an intention to move to SAS70 by the end of 2012 for
use as part of the 12/13 audit.”
84.This update is noted in the POL board minutes from 22 September 2011
(POL00030365). It follows that the POL board were reassured that
management were making good progress in relation to the EY
recommendations, including their recommendations in respect of access
controls.
85. It is further recorded in the minutes that Les Owen clarified that the original
question from the ARC was questioning why Fujitsu did not provide a SAS70
Page 33 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
audit. Within this meeting I suggested that we align ourselves with other Fujitsu
customers to ensure Fujitsu realised SAS70 was a customer requirement. Alice
Perkins also attended this meeting, which was the last POL board meeting I
attended as I stepped down from my role as Chair of POL.
86.On 8 December 2011 (RMG00000003) I attended an ARC meeting where
Richard Wilson, Kath Barrow and Ben Marle from EY were also present. The
minutes record the following discussion:
“unlike other RMG major IT suppliers, Fujitsu does not have a SAS70 or
equivalent report on its controls, and the consequence of this is that Ernst &
Young needs to do full testing of all systems which are integral to the
financial results as part of the RMG annual audit process. A number of IT
control issues were identified during the 2010 — 11 year end audit, which
were largely centred on Fujitsu. Overall EY was satisfied that the control
systems were reliable but they had to perform additional audit work to
make this conclusion, and they made certain recommendations in the
management letter following the audit for improvements which have been
implemented. The IT control issues identified during the audit did not
relate to the integrity of accounting data in the system. Rather, EY made
recommendations about the documentation and authorisation of changes to
systems and about opportunities for streamlined assurance’>".
87.The ARC was thus reassured that any control issues identified during the audit,
including access issues, did not affect the integrity of accounting data in the
system. As mentioned in paragraph 39, we were not told that these control
* Sentences here have been emphasised in bold.
Page 34 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
issues could impact the integrity of the data and as a result, the civil or criminal
legal proceedings being brought against SPMs.
88.At the time of the EY management letter,I had understood that EY were
predominately concerned about the governance of the Fujitsu relationship. This
centred around the difficulty of obtaining audit evidence from Fujitsu. Therefore,
EY recommended a SAS70 audit to ensure the base information they required
was more readily available to them. As I understood it, their report said that
they had trouble evidencing the controls rather than that the controls
themselves were deficient. We were told overall EY was satisfied that the
control systems in place were reliable and that planning was underway for the
2012-13 audits and Fujitsu had committed to covering the cost to implement a
SAS70 approach for POL.
89.As mentioned at paragraphs 39, 71 and 72, I believe that I had a meeting with
the audit partner at EY on conclusion of the audit to hear the principal
conclusions and recommendations prior to his formal reporting to the ARC. This
was my normal practice. I believe that Dame Moya Greene was also at this
meeting. At such a meeting I was in the habit of asking if there is anything else
I should know beyond the written report. I do not recall any other issues being
raised beyond those referenced in the audit report other than that the audit had
been cumbersome in process. It was not drawn out in this meeting by EY that
unauthorised changes to the Horizon data could be made without SPMs’
knowledge or consent. Nor did I know at the time that SPMs were raising such
issues as part of their defence. Had I been made aware; I would certainly have
raised further enquiries.
Page 35 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
90. My attention has been drawn to the Draft Report 11/005 Horizon System
Controls Assurance Review by POL dated February 2012 (POL00029114) and
the POL Review of Key System Controls in Horizon Assurance Review dated
March 2012 (POL00030482). I am not aware of having seen these reports
before and I am not included on the circulation list. By the time they were written
I was no longer Chair of POL. I am unclear of the background other than that
they appear to be a response to the EY management letter. I do not know how
they were used.
SECTION 6: SEPARATION OF POL AND RMG/RMH
91.1 have been provided with a copy ofa letter dated 30 September 2010 I received
from Rt Hon (now Sir) Vince Cable MP who at the time was SoS for BEIS
(UKG1I00001328). I recall receiving this letter and note the following section:
"we see Royal Mail and Post Office Limited as distinct businesses and
believe that they are best separated. Officials have communicated to you
our objectives for the Board in this regard. It is therefore important that no
action is taken prior to a Royal Mail transaction which could make the
implementation of that separation more complex or difficult. There should be
no move to further integrate the Post Office and Royal Mail."
92.1 recall this being a clear indication at the time that the SoS expected that I
prioritise separation of the businesses.
93. The detailed work on the separation of POL and RMG/RMH was almost totally
performed by executive management. There were negotiations between two
Page 36 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
teams (one from Royal Mail and one from POL). A mechanism was established
whereby, if they were unable to agree, they were to escalate the disagreement
to Alice Perkins and me. My memory is that this formal mechanism did not need
to be used as the negotiations concluded in agreement. The CEO of Royal
Mail, Dame Moya Greene, shared with me issues of principle, for example, the
degree of exclusivity regarding distribution that she hoped to obtain.
Organisational structure was a matter for the executives.
94.1 discussed with Mr Lovegrove (now Sir Stephen) at SHEX the composition of
the board of POL.
95.1 am asked what discussions or negotiations took place on where responsibility
would sit after separation for (a) the Horizon IT system, (b) the investigation and
prosecution of SPMs and (c) the pursuit of civil claims against SPMs. I believe
that none of these issues was referred to me or the Royal Mail board. As the
responsibility for these matters lay with POL post separation, the matter of
prosecutions naturally fell on POL and I am now aware that POL did indeed
continue prosecuting.
96.1 am also asked about any past liabilities relating to (a), (b) or (c). I believe it
was common ground that any such past liabilities, should they have existed,
belonged to POL. Again, I believe that neither I nor the board were asked to
intervene in any discussions or negotiations on this topic.
97.As referred to above, the background to my email to Paula Vennells and others
dated 29 September 2011 (POL00405910) was my reading an article in Private
Eye speaking of a possible class action by SPMs. I had been instrumental in
Page 37 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
helping to create the more extensive agenda for the POL board in preparation
for handover to Alice Perkins and here I was suggesting that it would be
sensible to have a specialist report also’®. Given that Ms Perkins was new, I
thought she would appreciate the assistance of the ARC in looking at what lay
behind the article and that such a referral was appropriate in its own
right. Detailed follow up had now become a matter for the POL board of which
I was no longer a member.
98. This e-mail was not linked to "the imminent separation of POL from RMG" as I
am asked but was the result of the timing of the publication of the Private Eye
article.
99.The Inquiry has referred me to an e-mail chain between Martin Edwards and
others dated 20 September 2013 (POL00381747). I do not believe I was part
of such discussions in respect of the prospectus referred to in this email trail.
This was not untypical at this time, as SHEX frequently communicated directly
with management. As part of the RMG board I participated in the approval of
the prospectus following read-through and legal advice. There were no issues
or risks that were not followed up or stress-checked as far as I was aware. I
believe the prospectus to have been accurate based on the information
available to board members.
100. At that time, I had no particular concerns relating to Horizon impacting on
the success of the separation of POL and RMG/RMH nor on the flotation of
Royal Mail and no such concerns had been brought to my attention.-At the time,
'® I suggested a referral to ARC because the existence of a class action represented a risk to the business and not because I had
formed any view about whether it had any prospect of success.
Page 38 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
had this been raised I believe this would have been viewed by investors as a
matter for POL and not Royal Mail and therefore would have had no impact on
the flotation.
101. The process of privatisation and the fact that this was something I was aware
was a government objective would not have prevented me from acting on any
information, had I been aware of any, that called into question the reliability of
the Horizon IT system. I felt no pressure from government or others and acted
independently at all times. There was no benefit to me personally in a
successful privatisation arising from my role.
102. As set out above, at the time the access issue was not connected to the
SPM challenges, but rather seen as an external audit matter for the accounts.
Reflecting on it with hindsight, even had the access issue been looked at
differently, had the prospectus been amended on account of the access issue,
or had it been highlighted as a risk factor to the accounts in the privatisation
materials, it would not necessarily have had the effect of uncovering the
connection with SPM cases.
SECTION 7: COMPLAINTS BY SPMS
103. Other than high level knowledge that there were prosecutions, I had no
knowledge or involvement in investigating or respondingto complaints
concerning the Horizon IT system, or criminal or civil proceedings brought by
POL. These were matters for the executive management.
Page 39 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
104. I have been provided with copies of correspondence from 2010 and 2011
by the Inquiry in respect of complaints by SPMs. Firstly, I should discuss the
way in which post addressed to non-executive and executive senior
management was processed by the Royal Mail Group.
105. During my tenure, as Chair of both businesses a large amount of post was
addressed to me covering a wide range of issues (for example, lost letters, the
cost of stamps, use of rubber bands, as well as policies and operations). The
post was triaged and sent to the appropriate departments so that the right
people were dealing with the content of the letter and taking appropriate action.
I believe that there was a central team based in Manchester and another team
based in the Royal Mail's London office who dealt with post on behalf of
directors and senior management. The Manchester team may have dealt with
complaints, however, due to the passage of time I cannot now recall the exact
way in which post was processed and distributed between the two teams.
106. I have been provided by the Inquiry with a copy of Ferndown Post Office
Branch Information Briefing (POL00294706) in respect of SPM Mrs Athwal and
a letter sent by Michele Graves, Executive Correspondence Manager, dated 28
June 2010 to Mrs Athwal. It appears that Ms Graves has written a response to
Mrs Athwal in response to a letter that was addressed to David Smith, MD of
POL (POL00294727), and I, however I have not been provided with a copy of
the original letter. Within Ms Graves’ response, she states that ‘it is not
appropriate for Donald or other board members to investigate personally on
your behalf’. I have not previously had sight of documents POL00294706,
POL00294727, nor do I recall having sight of a letter from Mrs Athwall.
Page 40 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
107. As this letter was responded to by Ms Graves, the Executive
Correspondence Manager, I do not believe that I would have seen it. I cannot
recall Mrs Athwall's situation ever being brought to my attention.
108. I am also asked about my knowledge or involvement in investigating and/or
responding to complaints brought by MPs. Generally, I was not personally
involved in these activities.
109. I believe that letters received from Ministers addressed for my attention
were supposed to be provided directly to me and not syphoned off for other
departments to deal with. Should any MPs write on the same subject as the one
previously raised by a Minister (that I had responded to), then follow up letters
from other MPs should have come directly to me’”.
110. I have now been provided with a copy of a letter sent by sent by Peter
Bottomley MP in relation to SPM's Mr Lall's termination dated 24 January 2011.
I do not believe I had sight of this letter at the relevant time. I expect that this
may have been dealt with by one of the central correspondence teams based
in either London or Manchester and not brought to my attention.
111. I was not involved in the investigation by Second Sight into the Horizon IT
system. As part of separation in April 2012, I had resigned from the POL board
and Alice Perkins was now Chair of POL at the time of the interim report dated
8 July 2013 (POL00099063). Accordingly, with POL now separated, it was
expected that its board and CEO would deal with any issues arising from further
7” I can recall an example of this in 2010 (approx.) when Rt Hon Pat McFadden, the then Postal Minister, wrote to me in respect of a
campaign called Queen & Country based on the work of Steve McQueen to ask Royal Mail to issue commemorative stamps of
individual servicemen and women who had lost their lives in Iraq. Once I received this letter from the Postal Minister in respect of this
campaign, letters from MPs on the same topic came directly to me.
Page 41 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
reports in respect of Horizon or SPMs’ legal proceedings. Although I remained
Chair of RMH, our main function at that time was to resolve any potential
disputes between RMG and POL, as such it is my belief that we were not
provided with any reports POL received during this period. I did not see this
interim report from Second Sight. At the time of the final Second Sight report
dated 9 April 2015, I was no longer on the board of POL or RMH. In addition to
this, I was not involved in the Initial Complaint Review and Mediation Scheme
which I now understand was established to help resolve the concerns of SPMs
regarding the Horizon system and other associated issues.
112. I have read the POL note regarding a Lessons Learned review
(POL00040032). I do not believe I was interviewed for the POL lessons learned
project and was unaware that my participation had been considered a
possibility.
113. Around the time of my handover to Alice Perkins and following the
publication of the Private Eye article (September 2011), I recollect sharing with
both Alice Perkins and Les Owen (NED) that I considered there to be remaining
open questions regarding the prosecutions. My thoughts and questions at this
time can be seen within my email dated 29 September 2011 (POL00405910).
Within this email chain, I flagged this as an issue to Paula Vennells, who then
copied Alice Perkins and others into the email chain. I then recollect having
separate discussions with Alice Perkins and Les Owen as I felt it was an area
to keep under review as I thought 'something didn't feel quite right’. This was in
the context of assisting in framing the forward agenda for the POL board. I do
not recall discussing this issue with SHEX.
Page 42 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
114. I did not investigate complaints raised by SPMs. That was not my role.
Regarding complaints by MPs I would have expected those to be handled by
the public affairs team or correspondence team reporting to management.
115. I have read an email chain involving Martin Edwards dated 12 July 2013
(POL00191953). I do not remember what the referenced call to Alice Perkins
was about. The briefing note to Ms Perkins here is illustrative of a way of
working at POL that was hard to change. Considerable overpreparation and
work prior to finding out what I wanted to speak about was undertaken, rather
than finding out and then focussing on the answer. The note also illustrates a
tendency to want to describe everything as "ok, nothing to worry about" in POL
communications.
116. I believe this illustrates an important point about culture. I found the culture
of POL to be heavily influenced by three factors. First, the considerable desire
of management to please HMG, second, the reality that without subsidy from
HMG, POL would fail as a business and, third, a strong desire for
independence. It was a bricks-based business in a world increasingly
dominated by clicks-based businesses. It faced considerable strategic
headwinds. The result, in my view, was a reluctance by management to share
anxieties for fear that they would undermine the case for subsidy. I speculate
that this culture may have contributed to the reluctance to admit to BEDs in the
Horizon IT system with all its consequences for SPMs.
117. The Martin Edwards email chain dated 12 July 2013 (POL00191953) makes
clear that the Company Secretary for RMH and RMG, Jon Millidge, had been
briefed on the Second Sight Report. At the time, POL had been separated from
Page 43 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
RMG since April 2012 and therefore this may have been why it was noted that
Jon Millidge saw it as an issue for POL. I did not see the interim or final Second
Sight Report. Neither reports were provided to me during my tenure at Royal
Mail. I can only assume that the executive were dealing with these reports as
well as the POL board and that the Company Secretary did not consider it
necessary to bring these reports to my attention.
118. I have been provided with and asked about Simon Clarke’s advices of 15
July 2013 (POL00006357) and of 2 August 2013 (POL00129453) and
Deloitte’s Project Zebra reports dated 4 June 2014 (POL00028069). I was
neither aware of the existence or the gist of these documents at the time. In July
and August 2013, I was still Chair of RMH. At this time the companies had
already separated and were in the final weeks before the date of privatisation,
and it may be that the requirement for POL to be able to act entirely
independently affected decisions to pass on information. By contrast, at the time
of the Deloitte Project Zebra report I was no longer Chair of either POL or RMH.
SECTION 8: GENERAL
119. 1am asked whether I provided sufficient information on the relevant issues
to the boards on which I sat or to HMG. I did not have any unique information
and therefore had none to provide.
120. 1Iam also asked about how POL handled challenges to the integrity of the
Horizon IT system. It is now abundantly clear that this was not done well. I still
do not know why this is so, but I suspect that the existence of a functioning
Page 44 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
system was so important to the future of POL that no POL executive dared to
admit it might not be fully fit for purpose.
121. Iam asked about how the boards of RMH, RMG or POL or HMG maintained
effective oversight. I believe that all the proper and appropriate processes for
good governance were in place and were operative. As I have said earlier in
this statement, all controls of this nature break down if the basic inputs are not
truthful.
122. I am asked about POL’s approach to prosecutions and the disclosure of
information to SPMs who were convicted based on Horizon data. I was not
aware nor briefed on the detail at the time in respect of POL’s approach to these
prosecutions nor on how its managers communicated with SPMs. This would
have been handled by the legal functions of the Group, any issues would go via
the normal channels to the Company Secretary who would then report to the
relevant board. Given what I now know, the approach to prosecutions was
wholly and indefensibly inappropriate. I am ashamed that this occurred whilst I
was part of the Royal Mail Group.
123. In absolutely no way can the events being looked at by the Inquiry be
excused, but I reflect that the work of the Inquiry may be assisted by reviewing
the context in which the businesses were operating. The suffering of wrongly
accused SPMs was utterly regrettable and indefensible and I am grateful to
have had this opportunity to assist the Inquiry.
Statement of Truth
I believe the content of this statement to be true.
Page 45 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
- GRO
Signed:
Dated: 11/11/2024
Page 46 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
Index to First Witness Statement of Sir Donald Hood Brydon
No. URN Document Description Control Number
I=
RMG00000005 Minutes: Royal Mail plc Audit I VIS00007413
and Risk Committee Minutes,
dated 20 May 2011
In
RMG00000007 Minutes: Royal Mail Holdings I VISO0007415
plc Audit and Risk Committee
Minutes, dated 17 November
2011
leo
RMG00000003 Minutes: Royal Mail Holdings I VISO0007411
plc Audit and Risk Committee
Minutes, dated 8 December
2011
>
UKGI00001328 Letter from Vince Cable (BIS) I UKGI012142-001
to Donald Brydon re:
shareholder role in Royal Mail
over next few years, dated 30
September 2010
POL00405910 Email from Paula Vennells to I POL-BSFF-0231758
lon
Les Owen, Matthew Lester
and others re Private
Page 47 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
Eye/Horizon, dated 29
September 2011
Io
POL00030217 Ernst & Young Management I POL-0026699
letter to POL, year ended 27
March 2011
POL00378686 Email from Paula Vennells to I POL-BSFF-0205573
IN
Shane O'Riordain, Cc'd Alice
Perkins, Moya Greene and
others Re: Horizon, dated 26
November 2011
POL00381629 File notes Susan I POL-BSFF-0208516
100
Crichton/Paula_ Vennells = -
FRIDAY 30/9 Costa Coffee
Old St/Goswell Rd, MONDAY
2/9/13 PV meeting room 3pm
and Reflections, dated 2
September 2013
1
POL00294837 Horizon - Response _ to I POL-BSFF-0132887
Challenges Regarding
Systems Integrity, dated 2
August 2010
10 RMG00000004 Minutes: Royal Mail Holdings I VISO0007412
plc Audit and Risk Committee
Minutes, dated 13 May 2010
Page 48 of 51
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
WITN10320100
WITN10320100
POL00021499
Minutes: POL Board Meeting
Minutes, dated 27 May 2011
POL0000032
POL00021500
Minutes: POL Board Meeting
Minutes, dated 4 July 2011
POL0000033
POL00029438
Post Office LTD Board, POL
IT Audit Update, dated
September 2011
POL-0025920
POL00030365
Minutes: POL Board Meeting
Minutes, dated 22 September
2011
POL-0026847
RMG00000127
Minutes: Royal Mail Holdings
plc Board of Directors Meeting
Minutes, dated 14 December
2011
VIS00013026
FUJ00086922
Briefing note on Audit findings
for Post Office and Fujitsu
Senior Management, dated 28
April 2011
POINQ0093093F
POL00029114
POL Draft Review of Key
System Controls in Horizon:
Assurance Review (Draft
11/005), dated February 2012
POL-0025596
POL00030482
Post Office Limited Review of
Key System Controls in
POL-0026964
Page 49 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
Horizon, Assurance Review
Report, dated March 2012
19 POL00381747 Email from Martin Edwards to I POL-BSFF-0208634
Paula Vennells and Mark R
Davies re: Prospectus update,
dated 20 September 2013
20 POL00294706 Ferndown Post Office Branch I POL-BSFF-0132756
Information Briefing, undated
24 POL00294727 Letter from Michele Graves to I POL-BSFF-0132777
Rachpal Athwal re: Post Office
Ferndown branch, 3 Penny's
Walk, BH22 9TH, dated 28
June 2010
22 POL00099063 Signed Interim Report into I POL-0098646
alleged problems with the
Horizon system, dated 8 July
2013
23 POL00040032 Post Office Lessons Learned I POL-0036514
Review of handling of alleged
issues/concerns about
Horizon: Terms of Reference,
produced in July or August
2013
Page 50 of 51
WITN10320100
WITN10320100
Docusign Envelope 1D: 64592609-6882-4A82-AA40-89D444CDBBFE
24 POL00191953 Email from Martin Edwards to I POL-BSFF-0030016
Charles Colquhoun re Donald
Brydon call, dated 12 July
2013
25 POL00006357 Simon Clarke’s advice on the I POL-0017625
use of expert evidence relating
to the integrity of the Fujitsu
Services Ltd Horizon System,
dated 15 July 2013
26 POL00129453 Simon Clarke's advice on I POL-0134937
disclosure - the duty to record
and retain material - Post
Office LTD, dated 2 August
2013
27 POL00028069 Deloitte’s Project Zebra I POL-0023072
reports, dated 4 June 2014
Page 51 of 51