WITN11190100
WITN11190100
Witness name: John Bartlett
Statement No: WITN11190100
Dated: 25 April 2024
THE POST OFFICE HORIZON IT INQUIRY
First Witness Statement of John Bartlett
on behalf of Post Office Limited in the Post Office Horizon IT Inquiry
1. I, John Bartlett, of 100 Wood Street, London, EC2V 7ER, say as follows:
A. Introduction
2. I am John Bartlett, Director of Assurance and Complex Investigations (A&Cl), Post
Office Limited ("POL" or “Post Office”). I joined Post Office in February 2022 and was
appointed as Head of the Central Investigations Unit which was the previous name
for A&CI. Under both team titles I had, and continue to have, responsibility for the
Speak Up team within Post Office. Speak Up is a frequently used and our preferred
label for activity that used to be referred to as whistleblowing, although in various
Post Office documents 'whistleblowing' is still used. This is my first witness statement
to the Inquiry. Whilst I was not employed at Post Office during the period in question
(the “Relevant Period”), given my role in directing and overseeing the Speak Up
function, I am the appropriate person to give this witness statement on behalf of P ost
Office as I am acquainted with Post Office's current policies and practices that govern
Page 1 of 144
WITN11190100
WITN11190100
the Speak Up function's work and have previous experience of managing
whistleblowing issues in other arms-length and commercial bodies.
. This witness statement has been prepared in response to a request made by the
Post Office Horizon IT Inquiry (the "Inquiry”) pursuant to Rule 9 of the Inquiry Rules
2006, dated 6 February 2024 ("Rule 9(50)"). Question 4 of the Rule 9(50) asks Post
Office to explain the following over the Relevant Period (exhibiting any relevant
documents):
Any written procedures and policies specifying how whistleblowing was to be
treated within Post Office Limited and any other relevant organisations including
the required escalation and reporting process within the Board or involving the
Board.
. The facts in this witness statement are true, complete and accurate to the best of my
knowledge and belief. I have sought to include within this witness statement
evidence relating to matters or issues detailed in the Rule 9 request insofar as the
relevant facts are within my own knowledge. The Rule 9 request also sought
evidence relating to matters and issues that are not within my knowledge. As a result,
where my knowledge has been informed by another person or by documents that I
have reviewed for the purposes of preparing this witness statement, I will specifically
acknowledge the identity of the individual concerned or the nature of the documents.
Where I refer to specific documents in this witness statement, copies of those
documents have (where possible) been produced to the Inquiry.
Page 2 of 141
WITN11190100
WITN11190100
5. I have been assisted in preparing this witness statement by Burges Salmon LLP and
Fieldfisher LLP (together "BSFf"), who act on behalf of Post Office in the Inquiry
(other external advisers also act for Post Office) and external counsel.
B. Structure of this witness statement, definitions and background
6. This witness statement is set out in the following sections:
(a) Section A (paragraphs 2 to 5) is a general introduction.
(b) Section B (paragraphs 6 to 12) sets out the structure of the statement, definitions
and high level background.
(c) Section C (paragraphs 13 to 73) provide a summary of the history of Post Office's
whistleblowing policies that have been identified as part of the review work for
responding to question 4 of R9(50).
(d) Section D (paragraphs 74 to 118) set out the required escalation and reporting
process within the Board or involving the Board.
7. The policies and procedures within Post Office which address whistleblowing have
developed over the Relevant Period. As outlined above, it is currently referred to
within Post Office as “Speak Up.” This covers both the act of whistleblowing (the
“Speak Up report”) and the policies/procedures that relate to it. I have seen
documents from 2010 onwards using the phrase “Speak Up”. I use the terms
interchangeably throughout this witness statement as appropriate to the time period
of the document which I am referring to.
8. My experience with whistleblowing started in around 2007 when I worked at the
Financial Services Authority ("FSA"). I worked there for around three and a half
Page 3 of 144
WITN11190100
WITN11190100
years. I worked in the private sector from around 2011 — 2017. Between 2011 and
2015, I worked at a Swiss global testing, inspection, standards, and certification
company called Société Générale de Surveillance (normally referred to as SGS), as
the Global Head of Investigations. Part of my role involved engaging with
whistleblowers themselves and then investigating their reports or overseeing the
engagement and investigations. Between 2015 and 2017 I worked for the Royal
Bank of Scotland in the Sensitive Investigations Unit as an Investigations Director
where part of my duties involved being part of a working group on whistleblowing
and I also managed the staff member who oversaw the development of the
whistleblowing function. From around 2017 - 2022, I worked at the Pension
Regulator as Head of Enforcement Investigations. As part of that role, I provided
oversight and guidance in the management of significant whistleblowing reports and
reporters.
9. Some reporters providing certain types of information (often referred to as
“disclosures”) through a Speak Up function are afforded protection by law. The
statutory basis for protected disclosures arises from the Public Interest Disclosure
Act 1998 ("PIDA 1998"). It applies to England, Scotland and Wales’. amended the
Employment Rights Act 1996 ("ERA 1996") to protect workers from detrimental
treatment by their employer where they make a protected disclosure. In order to
qualify as a protected disclosure the disclosure must be a “qualifying disclosure” as
defined at s.43B ERA 1996, being any disclosure of information which in the
‘ Northern Ireland has different legislation Public Interest Disclosure (Northern Ireland) Order 1998. I understand that this is broadly
similar to PIDA 1998; however, an analysis of the differerces between the legislation is beyond the scope of this Rule 9 request.
Page 4 of 144
WITN11190100
WITN11190100
reasonable belief of the worker making the disclosure is made in the public interest
and tends to show one or more of the following:
(a) that a criminal offence has been committed, is being committed or is likely to be
committed;
(b) that a person has failed, is failing or is likely to fail to comply with a legal obligation
to which he is subject;
(c) that a miscarriage of justice has occurred, is occurring or is likely to occur;
(d) that the health or safety of any individual has been, is being or is likely to be
endangered;
(e) that the environment has been, is being or is likely to be damaged; or
(f) that information tending to show any matter falling within any one of the preceding
paragraphs has been, is being or is likely to be deliberately concealed.
10.The legislation in place that protects whistleblowing does not impose a positive
obligation on employers to encourage whistleblowing, implement a whistleblowing
policy or govern what an employer should do if a disclosure is received. It also only
provides protection to certain categories of people, 'workers', who raise concerns
relating to specific topics, risks or situations. It protects workers from detriment
caused by virtue of them making the disclosure. Postmasters are not - and have
never been - 'workers' and so are not protected by the legislation. During the
Relevant Period, however, Postmasters were sometimes explicitly included within
the Policy and sometimes.at other times, they were excluded because they were not
‘workers’ but appear to have been able to make reports as a matter of practice.
Where Post Office has been able to identify the position, I have set this out at Part
C below.
Page 5 of 144
WITN11190100
WITN11190100
11. Over time the attitude towards whistleblowing has shifted, such that whilst legislation
does not specifically require employers to have a whistleblowing policy, it is now
considered best practice to do so. In my experience, these policies often go beyond
the protections afforded to reporters under the narrow requirements of PIDA 1998.
There may be other protections for reporters who do not fall within these categories
under other policies or procedures, for example employment codes of conduct.
12.Employers have been assisted by guidance issued by various government
departments and organisations with recommendations on what is considered best
practice, for example, the Department for Business Innovation and Skills’
'Whistleblowing: Guidance for Employers and Code of Practice’ dated March 2015
[POL000423670].? These types of guidance documents do not have any statutory
force. However, I note that via the Shareholder Relationship Framework Document
[POL00362299], Post Office is obliged to "have regard to the principles contained"
in the 'Whistleblowing: Guidance for Employers and Code of Practice’?
C. Summary of whistleblowing policies during the Relevant Period
13. From review of the materials that Post Office has been able to identify as part of the
searches carried out in responding to this request, I have compiled the following
versions of whistleblowing policies over the Relevant Period:
? Department for Business Innovation and Skills’ ‘Whistleblowing: Guidance for Employers and Code of Practice’ dated March 2015
Whistleblowing: Guidance for Employers and Code of Pradice (publishing. service. gov uk),
3 Page 24, Shareholder Relationship Framework [POL00362299]. The Framework Document was entered into between Post Office,
the Department for Business, Energy and Industrial Strategy ("BEIS") and BEIS's representative, UK Government Investments Limited
(‘UKGI" or the “Shareholder's Representative") and took effect on 1 April 2020. It is not legally binding (save as to confidentiality
obligations).
Page 6 of 144
WITN11190100
WITN11190100
Date Policy Reference
Royal Mail Group Policy, 'GO7 Employee POL00423202
02.08.2010
Confidential Disclosures'
Post Office, Speak Up Policy’ POL00030609
30.04.2012
Post Office Whistleblowing Policy (v1.4) POL00423366
27.04.2016
Post Office Whistleblowing Policy (v1.5) POL00413463
10.06.2016
Post Office Whistleblowing Policy (v1.6) POL00423394
22.09.2016
Post Office Group Policies - Whistleblowing POL00423611
11.08.2018
Policy (1.7)(draft)
Post Office Group Policies - Whistleblowing POL00423576
21.08.2017
Policy (v1.8)
Post Office Group Policies - Whistleblowing POL00423451
25.09.2017
Policy (v2)
Post Office Group Policies - Whistleblowing POL00423579
July 2018
Policy (v2.1)
Page 7 of 144
WITN11190100
WITN11190100
Post Office Group Policies - Whistleblowing POL00423578
July 2018
Policy (v2.2)
Post Office Group Policies — Whistleblowing POL00423461
20.09.2018
Policy (v3)
Post Office Group Policies - Whistleblowing POL00423613
July 2019
Policy (v3.1)
Post Office Group Policies - Whistleblowing POL00423584
June 2019
Policy (v3.2)
Post Office Group Policies - Whistleblowing POL00423581
July 2019
Policy (v3.3)
Post Office Group Policies - Whistleblowing POL00423602
July 2019
Policy (v3.3)
Post Office Group Policies — Whistleblowing
19.09.2019
Policy (v4) POL00423603
Post Office Group Policies - Whistleblowing POL00423604
April 2020
Policy (v4.1)
Page 8 of 141
WITN11190100
WITN11190100
Post Office Group Policies - Whistleblowing POL00423585
June 2020
Policy (v4.2)
Post Office Group Policies - Whistleblowing POL00423586
July 2020
Policy (v4.3)
Post Office Group Policies — Whistleblowing POL00030903
27.07.2020
Policy (v5)
Post Office Group Policies - Whistleblowing POL00423594
March 2021
Policy (v5.1)
Post Office Group Policies - Whistleblowing POL00423596
March 2021
Policy (v5.3)
Post Office Group Policies - Whistleblowing POL00423590
March 2021
Policy (v5.4)
Post Office Group Policies — Whistleblowing POL00413444
14.05.2021
Policy (v6)
Post Office Group Policies — Whistleblowing POL00423610
May 2021
Policy (v6.1)
Page 9 of 144
WITN11190100
WITN11190100
14. The policies listed in this table appear to me to be final versions. Where Post Office
has identified drafts, I have referenced them below if I think they are illustrative, but
I have not included them in the table so that it is clear to the Inquiry which ones are
the final versions. Whilst I was not employed by Post Office when these historic
policies were in place, I have read the policies and comment on their content as
follows.
1996-2009
15.From a review of documents identified as part Post Office’s response to Rule 9(50),
Post Office has sought to understand where responsibility for whistleblowing rested
during the pre-separation period.
16. Post Office does not hold a single repository of historic policies and procedures in
relation to whistleblowing over the Relevant Period. In seeking to understand and be
able to explain to the Inquiry the procedures over the Relevant Period, Post Office
has run searches to try and identify potentially responsive material. It has been able
to identify very limited information about the period prior to separation in 2012.
17.Version 1 of Post Office’s Employee Disclosure Policy is dated October 2005
[POL00423192]. It is noted as having first been issued in October 2005. Post Office
has not been able to identify any policies pre-dating this for either Royal Mail Group
or Post Office. The policy sets out:
Page 10 of 141
WITN11190100
WITN11190100
(a) The definition of an “employee disclosure” and how such a concern may come
about;
(b) The policy itself including reference to Royal Mail Group and its Code of Business
Standards;
(c) The guidelines as to how a report can be made, to whom and how it should be
handled including the outcome;
(d) Disciplinary penalties for those found to have acted in an unethical or unlawful
manner as a result of the report or for anyone using the policy where they are
shown to have used it deliberately, maliciously or mischievously to lay false or
misleading information
(e) Where to access additional further information.
18.Version 2 of a Royal Mail Group Policy entitled 'GO7: Employee Confidential
Disclosures' dated 2 August 2010 [POL00423202] indicates that version 1 was
created on 28 July 2006. Version 2 states that it applies to Post Office. Post Office
has not been able to locate version 1 of this policy and so has not been able to
confirm whether this policy applied to Post Office between 2006 and 2010. However,
from review of other materials (as set out below) it does appear that Royal Mail
Group's policy did cover Post Office staff during this time. It therefore appears that
Post Office had its own policy but also was subject to Royal Mail’s policy on
whistleblowing during this period.
Page 11 of 141
WITN11190100
WITN11190100
19.An email called ‘focus online issue 32/06' dated 24 October 2006 [POL00423150was
an update issued within Post Office (as it was 'to' "Post Office Ltd (all)") about Royal
Mail's whistleblowing procedures.‘ It states that:
"The Employee Disclosure policy and guidelines have been reviewed and
updated following a recent audit of Royal Mail Group policies and procedures.
This policy is an important part of making the company a good place to work and
helps to protect its reputation in the community and marketplace.
The employee disclosure (often called "Whistleblowing") policy enables
employees to raise concerns about inappropriate behaviour (e.g. behaviour
linked to criminal activity, fraud, conflicts of interest or health and safety
breaches). In most instances colleagues should be able to raise these issues
through their line manager or other routes such as the Security and CSR
helplines. The employee disclosure policy concerns those occasional situations
where a colleague feels these routes cannot be used, or the matter is so serious
that it needs escalating to a senior level of management.
As long as a disclosure is made in ‘good faith’, the policy protects and allows
colleagues to make disclosures in a confidential manner. In return Royal Mail
Group is responsible for investigating a complaint and, where appropriate, taking
effective remedial action.
Details of the updated policy and guidelines and who to contact to raise a concern
have been posted on Royal Mail Group's Intranet site.”
* Focus online issue 32/06 [POL00423150].
Page 12 of 141
WITN11190100
WITN11190100
20.This document appears to confirm that, at this time, all Post Office related
whistleblowing reports were logged with Royal Mail and that Royal Mail investigated
and actioned them. It is not clear whether, at this time, Royal Mail liaised with Post
Office about these complaints or handled them centrally.
21.A copy of the Royal Mail Group intranet page refers to Post Office staff and contacts
in relation to queries under the policy [POL00423195]. I note that the date of the
document on the e-Disclosure platform is June 2010 but the webpage itself states
that the page is effective from 28 July 2007 and that the page was last updated in
October 2006. This appears to support the understanding that the Royal Mail policy
applied to Post Office from 2006 when it came into effect.
22.A Post Office Limited Internal Audit & Risk Management Report dated February 2008
[POL00423152] refers to an “RMG Whistleblowing” policy being available for
“suspected wilful non-compliance". The Post Office Compliance Framework from
February 2009 also refers to the G7 RMG Whistleblowing Policy and also the “Post
Office Limited Employee Disclosure” policy [POL00423153]. Again, these
documents are supportive of Royal Mail Group’s policy applying to Post Office.
23.1 have been shown a document called “Employee Disclosure Guidelines”
[POL00423196]. I understand that the document is called “Employee Disclosure
Guidelines 06-07-25v8 SP.doc” on the e-disclosure platform. The text in this
document is different to the text in the G7 policy document referred to above. The
document appears to provide further detail about the process for handling a PIDA
1998 complaint once received including who should receive it, investigate it and
Page 13 of 141
WITN11190100
WITN11190100
reporting about the outcome. There is reference within the document to Post Office
and a specific telephone number for Post Office employees to use so it appears that
it did apply to Post Office. Post Office has not been able to identify any further
information about the guidelines.
2010
24.As outlined above, version 2 of a Royal Mail Group Policy entitled 'GO7: Employee
Confidential Disclosures' is dated 2 August 2010 [POL00423202] (the “RMG
Policy”). The RMG Policy owner was the Group Executive Committee (GET)®. It
states that the RMG Policy applies to "a/l business units within RMG including Post
Office Ltd."® Version 2 of the RMG Policy states that the whistleblowing policy
objective was corporate transparency and the provision of a route for staff to raise
concerns and that they were protected from reprisal in doing so.’
25. The RMG Policy defines workers as "employees and others contracted personally to
perform work on behalf of RMG"8 As a result, I understand that Postmasters and
their staff would not have been able to access this route to raise concerns under the
Policy. Post Office has not been able to identify whether as a matter of practice they
did make reports via this route at this time and/or whether these were investigated
anyway. The RMG Policy confirms that anonymity was available and that good faith
reporters would not suffer detriment. The RMG Policy includes the following detail:
5 Page 1, Royal Mail Group Policy ‘G07: Employee Confidential Disclosures’, Version 2, dated 2 August 201 0/POL00423202).
° Page 3, Royal Mail Group Policy ‘G07: Employee Confidential Disclosures’, Version 2, dated 2 August 2010/POL00423202).
7 Page 2, Royal Mail Group Policy ‘G07: Employee Confidential Disclosures’, Version 2, dated 2 August 201 0/POL00423202).
® Page 2, Royal Mail Group Policy ‘G07: Employee Confidential Disclosures’, Version 2, dated 2 August 2010/POL00423202.
Page 14 of 141
WITN11190100
WITN11190100
a. it references and quotes the heads of qualifying reports protected by PIDA
1998, including miscarriages of justice;
b. it states that contact is to be made within 5 working days of a report being
received; it provides the Speak Up email address;
c. it states that RMG Internal Audit & Risk Management is responsible for the
policy and process, reporting to the RMG ARC and RMG General Executive
Committee, chairing a RMG working group to ensure serious claims are
investigated, and managing the “hotline” contract; and
d. it establishes a phone, web and email reporting process for PIDA-type
reporting and states that it is part of a group of reporting lines including
Bullying & Harassment Helpline, Security Helpdesk, Corporate & Social
responsibility Helpdesk, and Ask Adam (a suggestions email address).
26.A Royal Mail document called 'RMG Speak Up Hotline Internal Audit & Risk
Management (IA&RM) High Level Process (draft)' [POL00423380] confirms that the
Speak Up hotline (run by InTouch) was launched on 2 August 2010.2
27. The Fraud, Commercial and Information Security Review 2009/2010 for Post Office
[POL00423197] refers to a new project in relation to whistleblowing being
undertaking for launch during 2010/11. Gary Thomas, Project Manager within the
Security Team, led this project and prepared a project document entitled ‘Security
Project Initiation Document (SPID)’ [POL00423201], dated 25 March 2010, which
focused on introducing a business wide whistleblower policy and establishing a
° Royal Mail Group Speak Up Hotline Internal Audit & Risk Management (IA&RM) High Level Process (draft)/POL00423380).
Page 15 of 141
WITN11190100
WITN11190100
single point of contact to ‘whistle blow’’® . The aim of the project specifically states
that the contact should be accessible to everyone including directly employed Post
Office Ltd Staff, Franchisees, Sub-Postmasters and their respective staff.
28.He prepared a project plan [POL00423199] aiming to ‘introduce a fit for purpose
robust "Whistleblower" Policy via Group and External benchmarking and to meet the
necessary FSA guidelines and requirements". It appears that the intention was that
this would be benchmarked against other whistleblower policies and processes
across the Royal Mail Group. The SPID is referenced in a report produced by the
Security department, “Security 4 Weekly Report 09/04/2010" [POL00423194], in
which it states in a whistleblowing bullet point that it is an up-coming whistleblowing
activity.12
29.The project plan laid out actions taken to achieve a “fit for purpose robust
“Whistleblower” Policy via Group & External benchmarking and to meet the FSA
guidelines and requirements”'*. The project start date was 5 April 2010 and the end
date was 24 December 2010. It appears that there was some updating to this project
plan as it progressed [POL00423200]. A draft document entitled ‘Whistleblower
(Speak Up) In Post Office Ltd' dated June 2010 states that "in accordance with best
practice, Post Office proposed to now adopt its own Employee Confidential Policy &
helpline" [POL00423204]'* . An updated draft of this document dated August 2010
1° Page 3, Security Project Initiation Document (PID) [POL00423201).
Project Plan [POL00423199).
}? Page 3, Security 4 Weekly Report 09/04/2010 /POL00423194).
‘9 Project Plan [POL00423199].
4 Whistleblower (Speak Up) In Post Office Ltd, June 2010/P0L00423204).
Page 16 of 141
WITN11190100
WITN11190100
[POL00423205] includes a process map for how a disclosure would be dealt with.'5
As outlined below, it does not appear that this project was completed.
30. It appears that the Post Office Security team project was put on hold in September
2010 as a result of Royal Mail’s work on a new “Speak Up” policy [POL00423203].
The Royal Mail Employee Confidential Policy [POL00423202],'® Speak Up Hotline
FAQs, process map [POL00423209]'’, example form, and disclosure record were
finalised at the end of July 2010 and circulated by Royal Mail to the Group, including
Post Office [POL00423674]. Post Office has not been able to identify a copy of the
original email which attached copies of the Speak Up Hotline FAQs, disclosure
record or example form.
3
. It does not appear that further consideration was given to a Post Office specific policy
until early 2011 when Wayne Griffiths (Security Programme Manager) wrote a paper
about the current position and what might need to take place in order for Post Office
to have its own policy [POL00423206]. The paper anticipates that a new policy would
be available to all employees including Agent's staff within the Network. It anticipates
that Grapevine (see also paragraph 61), a Post Office owned and managed service
which had been operational since January 2007 could run the service. The Post
Office internal fraud reporting process document dated 6 October 2011, highlights
Grapevine was already in use in relation to internal fraud and/or security breaches
[POL00423247]. The Policy refers those who wish to make a “Speak Up” report to
‘5 Whistleblower (Speak Up) In Post Office Ltd, August 2010/POL00423209.
18 Employee Confidential Policy [POL00423202).
1” Process map [POL00423209).
Page 17 of 141
WITN11190100
WITN11190100
the RMG line and states that “although this service isn’t a bona fide Whistleblower
line, callers are still covered by [...] PIDA.”
32. It does not appear from a review of the RMG policies that Grapevine was used for
receiving reports prior to this and the number provided for Post Office staff in the G7
policy also does not refer to Grapevine. It is therefore not clear whether or not this
was a new suggestion or an existing process. A draft policy was also written but it
is not clear how this was progressed internally within Post Office [POL00423207].
33.An email from Wayne Griffiths (Security Programme Manager) dated 6 October 2011
refers to the “full blown whistleblower line” being run by the Group through its “Speak
Up” policy [POL00423210]. It therefore appears that Royal Mail Group’s policy
continued to govern Post Office’s Speak Up function. One of the attachments to this
email is a process for internal fraud reporting using Grapevine which states that the
process envisages that those making reports would be covered by PIDA 1998
[POL00423218]. Another attachment is the process map which refers to re-routing
being possible to the RM Speak Up Line run by In Touch [POL00423221]. This
process continued post separation and version 2 of the process is dated February
2013 [POL00423241].
34. The Royal Mail Group draft Code dated August 2011 states that it is applicable to all
Group companies and sets out the values and business standards expected of those
working within the Group [POL00423676]. It sets out what someone should do if they
have a concern in relation to whistleblowing and refers to the Speak Up
(whistleblowing) policy. The reporting line is again stated to be run by Intouch. An
Page 18 of 141
WITN11190100
WITN11190100
email dated 11 June 2013 from Georgina Blair (Regulatory Risk Business Partner)
to Jessica Madron (Principal Lawyer, Post Office) responds to a discussion about
whether or not the speak-up line should be made available to subpostmasters by
stating that “we had an RMG-provided line in place and available to the whole
network for three years so I think we've grappled with some of these issues before.”
[POL00423252] This arguably supports the understanding that the InTouch line was
available to agents (including Subpostmasters) at this time.
35.A document called 'Schedule 1' appears to set out what Royal Mail (the 'provider’)
policies and procedures would apply to Post Office (the 'recipient') on separation
[POL00423265]. It states: "F. Provider to continue to provide current 'Speak Up'
employee disclosure line together with all associated support (including provision of
management information (“MI”)). G. Provider to provide support relating to transition
to the new Recipient specific employee disclosure line, including delivery of historical
MI to the extent that such historical MI is held manually or can be produced using
standard reports only. Service End Date: 31/03/2013"'®.
2012
36.In April 2012, Post Office implemented Version 1 of its ‘Speak Up Policy’ dated 30
April 2012 and effective from 1 April 2012 [POLO0030609]. It applies to "all
colleagues of the Post Office" and defines workers as "colleagues and others who
are contracted to personally perform work on behalf of the Post Office, can raise
concerns in confidence and if required, anonymously about serious malpractice in
"© Page 4, Schedule 1 (POL00423265).
Page 19 of 141
WITN11190100
WITN11190100
the organisation in the knowledge that concerns will be acknowledged and action
taken where appropriate""®. I infer from this section that Postmasters, and their staff,
were not included within the scope of this policy.
37. The policy starts by stating that "the Post Office is committed to conducting business
with the highest standards of honesty, integrity and openness where our colleagues
feel able to raise concerns internally'?°. The policy statement is as follows: "The
Speak Up Policy sets out the process by which workers, i.e. colleagues and others
who are contracted to personally perform work on behalf of the Post Office, can raise
concerns in confidence and if required, anonymously about serious malpractice in
the organisation in the knowledge that concerns will be acknowledged and action
taken where appropriate. Any worker who raises a legitimate concern in good faith
under this process will not in any way be liable to disciplinary action or loss of
benefits, rights or prospects as a result of their action. Disciplinary action may be
taken against any worker who is shown to have used these procedures to make
malicious or misleading allegations’®".
38.The main topics within this policy are:
(a) Confidentiality and protection of workers;
(b) Underpinning legislation;
(c) When concerns should be raised;
(d) How concerns should be raised; and
8 Page 2, Post Office Speak Up Policy, Version 1, 30.04.2012 [POL00030609).
2 Page 1, Post Office Speak Up Policy, Version 1, 30.04.2012 /POL00030609,
2 Page 2, Post Office Speak Up Policy, Version 1, 30.04.2012 /POL00030609)
Page 20 of 141
WITN11190100
WITN11190100
(e) How concerns will be dealt with.
39. The policy states that in the first instance workers should raise concerns with their
line manager or a senior HR manager, but if that is not possible the worker can
contact a confidential line run by InTouch MSC Ltd. The policy states that access to
the reporting line could be made by phone or via an online web service: a telephone
number and weblink is provided. I note that the InTouch weblink provided is
www.intouchfeedback.com/royalmail: I infer from this that Post Office was sharing
Royal Mail's InTouch platform. It states that InTouch would treat concerns in
complete confidence and that contact details do not need to be provided, but that
withholding contact details may reduce the business’ ability to conduct the
investigation. It states that all calls to the Speak Up line would be acknowledged
within five working days and that the investigations would be made by people with
appropriate authority who have the technical and professional knowledge for the
particular case. The policy also specifies Post Office's bullying and harassment
helpline, and under the heading 'Grapevine’, provides a telephone number by which
to report crime relating to the Post Office.
40.In 2012, Grapevine continues to be referred to in documents provided by Post Office
to postmasters such as its “Post Office Security - Top Ten Tips” although I note that
this reference is specifically stated to be about “suspicious activity” as opposed to
whistleblowing [POL00423230]. Post Office has conducted searches to identify
whether anything further was provided to Postmasters at this time about Grapevine.
Whilst no specific material communicating Grapevine as a dedicated whistleblowing
Page 21 of 141
WITN11190100
WITN11190100
tool for Postmasters at this time has been found, there is reference in an email
exchange in September 2012 between Wayne Griffiths (Security Programme
Manager) and Georgina Blair (Regulatory Risk Business Partner) whereby Wayne
Griffiths (Security Programme Manager) notes on 28 September that “you may recall
that I instigated a watered down ‘Internal Fraud' line as part of the Grapevine
portfolio, and we do get a trickle of calls through on that” [POL00423677]. Further, in
an email to Joe Connor (Head of HR Services) of 7 February 2013 [POL00423679],
Georgina Blair states “however, these requirements apply to all the investigations
that we carry out at the moment. For example, there is no difference between a case
of internal fraud reported through the disclosure line, through Grapevine, or directly
to a line manager, as all are different methods of whistleblowing. An allegation of
misconduct by a sub-postmaster, reported by a member of his staff, could equally
be reported by a call to NBSC, in person to the area sales manager or by post to
Kevin Gilliland”. \n addition, in an email to Keith Rann (Head of Supply Chain) on 5
April 2013 [POL00423232] Georgina Blair writes that “Speak Up is intended to
function as a complementary line to Grapevine — if a worker is uncomfortable calling
Grapevine because of fears of being identified he can phone the Speak Up line which
as an independent third party offers the caller greater confidentiality, but the
business’s action as a result of the call should be the same, so it would seem to
make sense to ask the third party provider to call Grapevine if urgent action is
required.” The emphasis on the differentiator being the urgency of the matters
appears to support the view that Grapevine continued to be viewed as a reporting
line for situations needing more immediate attention. See also paragraphs 59, 60,
61, 62 and 92 for further information on Grapevine as a whistleblowing tool.
Page 22 of 141
WITN11190100
WITN11190100
41.The policy laid out responsibilities for the Executive Team, as follows:
(a) To approve the Speak Up policy; and
(b) To ensure that resources were made available within the Post Office as required.
42. The responsibilities of the Risk and Compliance Team is also set out, as follows:
(a) The development and maintenance of the Speak Up Policy;
(b) The development and maintenance of the framework and associated high level
processes;
(c) Coordinating the receipt of cases from the Post Office's helpline provider and
reporting back on progress and outcomes;
(d) Reporting incidents and outcomes to ARC and to CEC;
(e) Chairing a working group consisting of the subject matter experts, to ensure that
serious claims are effectively investigated; and
(f) Contractual management of the third party helpline provider.
43.As stated at paragraph 37 above, whilst Post Office had its own policy, it appears
that Post Office was continuing to use Royal Mail's Speak Up service at this time, as
the agreement with Royal Mail upon separation was that this could continue until 31
March 2013. I note that in email chains between Georgina Blair (Regulatory Risk
Business Partner) and various others in May 2012 discussion was ongoing about
setting up a Post Office specific disclosure line and Speak Up service
[POL00423232].?
22 Email chain between Georgina Blair and others dated May 2012 POL00423232).
Page 23 of 141
WITN11190100
WITN11190100
44.On 5 October 2012, Georgina Blair (Regulatory Risk Business Partner) explained in
an email to Susan Crichton that [POL00423233]:
“The 'Speak Up' line is provided by a third party, In Touch (MCS) Ltd - calls are
taken 24/7 and there is also a web reporting function. In Touch send call reports
(‘disclosures’) to a dedicated RMG e-mail address (I think there is also some level
of encryption).
A small team (approx 4 managers) in RMG Internal Audit have a rota for checking
the mailbox, and prioritise the disclosures in order of severity. Most disclosures are
sent out to nominated people within the business units, and as Susan says most
calls relate to grievances or bullying and harassment complaints. Internal Audit
operate a tracker (a simple excel spreadsheet) to keep track of who is responsible
for investigating each disclosure, and to record the results of each investigation.
Limited feedback is given to callers (generally along the lines of 'Thank you for your
call; the matter is being investigated.')
A quarterly report on calls received is prepared for the ARC.
This line is available to POL under an existing TSA until 31 March 2013. Very few
calls are currently received on POL matters, as the line is not well publicised.”
45. The policy suggests that Post Office had a decentralised approach to whistleblowing
at this time, without a dedicated Speak Up team interacting with reporters or a
dedicated team of investigators. It appears that the Risk and Compliance team
became the operational owners of the administration and governance of Speak Up
related activity.
2013
Page 24 of 141
WITN11190100
WITN11190100
46.As set out in version 1 of the Speak Up policy, it appears that following separation
from Royal Mail Group in 2012, Post Office instructed InTouch Ltd to provide the
Speak Up service for Post Office. A Project Initiation Document dated 19 February
2013 [POL00423238] shows Susan Crichton as the Sponsoring Director supporting
the standing up of the third party Speak Up service provider to be separate to RMG’s
service and that it was to be in place by 31 March 2013.?°
2014
47.An email from Risk Business Partner Georgina Blair on 30 October 2014 states: ‘we
have had very few whistleblowing reports over the last year. There was one at the
beginning of the year — I was not terribly close to it, but my boss, Dave Mason, was
more involved and should be able to advise you on the governance’
[POL00423681].** In the same email it was stated that the number on Post Office's
whistleblowing policy and on the intranet was Royal Mail's, not Post Office's — it was
noted that this was a mistake (because Post Office previously shared the line with
Royal Mail) and required updating.
48.An email chain dated 17 November 2014 between Larissa Wilson (Company
Secretarial Assistant), Sarah Hall (Financial Controller), Georgina Blair (Regulatory
Risk Business Partner), David Mason, Sarah Long, and Alwen Lyons discussed
several questions posed by the external auditors, EY, as part of their half-year audit
work [POL00423256].?5 One of these was to request a copy of the whistleblowing
% Page 1, Project Initiation Document [POL00423234}
24 Email from Georgina Blair dated 30 October 2014[POL0042368 1}
25 Email chain dated 17 November 2014 [POL00423256].
Page 25 of 141
WITN11190100
WITN11190100
policy and another to request a report on the use of the whistleblowing hotline for the
half-year up to September 2014. This email chain also records that ARC did not
review the whistleblowing policy in February 2014. This request demonstrates that
the external auditors were actively seeking to engage with, and provide scrutiny to,
whistleblowing matters as part of their work. Post Office has not been able to identify
any additional documents in the time available for providing this response which
demonstrate how Post Office responded to this request, if at all.
49.1 have seen a draft version (0.1) of a Whistleblowing Policy by Georgina Blair
(Regulatory Risk Business Partner) [POL00423254] dated 17 February 2014. It
specifies that the policy would apply to "Post Office employees and others who are
contracted to personally perform work on behalf of Post Office. This policy does not
apply to agents, operators and their assistants".
2015
50.In an email dated 1 April 2015 from Georgina Blair (Regulatory Risk Business
Partner) to Jane MacLeod, a summary of the then current whistleblowing
arrangements was attached [POL00423292]*’ The document states that:
(a) The existing policy was in need of a refresh
(b) A revised policy had been drafted which "covers employees, contract workers
etc. but not subpostmasters (agents & operators)".
(c) A decision was required on whether Post Office should have a Whistleblowing
Officer.
2 Page 4, Draft version (0.1) of a Whistleblowing Policy dated 17 February 2014 POL00423254).
7” Email chain from Georgina Blair to Jane MacLeod dated 1 April 2015/P0L00423297).
Page 26 of 141
WITN11190100
WITN11190100
(d) InTouch's contract began in 2013 and would run for three years. Reports can be
made by telephone (speaking to an operator or leaving a message) or web portal,
and Post Office has access to reports through a case management portal.
(e) The Speak Up line is used very poorly (an average of one call every six months,
and the last call was a misdirected call relating to a Royal Mail matter).
Awareness of the line is very low, and a communications plan was due to be
rolled out in April.
(f) There needed to be clarification of who owned the whistleblowing policy (as HR
had historically been unwilling to own it).
(g) The Speak Up line was mistakenly not included in the Risk and Compliance
Committee’s (“RCC”) budget.
(h) There would be discussions to explore whether Grapevine or other lines could be
used as alternative channels — previously this had been considered unsuitable
due to perceived lack of independence.
(i) The document states that one outstanding issue was: "whether to extend the line
to agents — this has been considered in the past and decided against because of
practical difficulties when dealing with other companies' employees and because
protection under PIDA does not extend to sub postmasters and their assistants".
. There appears to have been a Post Office Whistleblowing Investigations Procedure
in 2015 [POL00423329]. This procedure set out the procedure that would be
followed including decision as to whether to carry out an investigation and the form.
The Whistleblowing Officer (at this time Jane MacLeod) was stated as being the
person who would take that decision.
Page 27 of 141
WITN11190100
WITN11190100
52.In an email chain dated 29 July 2015, it is recorded that discussions had been had
with Kings Security (the operator of Grapevine) to see if they could provide a
comparable whistleblowing service to the Speak Up line?® [POL00423293]. Kings
Security had stated that they could, but that they would need to develop new services
and processes. Georgina Blair (Regulatory Risk Business Partner) stated that: "in
the meantime I have also checked with the existing provider, In Touch Ltd, to see if
we could agree a revised fee based on a revised number of expected users (when
we Set the line up and so the prospective suppliers all quoted on that basis). If we
restrict the line to POL employees, contractors and agency workers (which is the
approach recommended by Nisha and Jessica) In Touch can provide the service for
£9,720 p.a. (as opposed to their current fee of £22,300 p.a.). In Touch are able to
Switch to the new revised fee from 1 August, if we confirm that we want to do this".
Jane MacLeod responded as follows: "... this seems a no-brainer and we should
stay with In Touch but on the revised basis. From your email below, I understand
that In Touch currently provide a service for £22,300 pa and we currently owe them
£7,444 for the period 1 April to I July. They have agreed to de-scope the service for
a reduced fee of £9,720 p.a which would be effective from 1 August provided we
give them notice immediately. Please go ahead and make the necessary
arrangements". Georgina Blair (Regulatory Risk Business Partner) confirmed with
InTouch that Post Office wanted to run the restricted service (excluding Postmasters)
in an email chain in July 201529 [POL00423294].
28 Email chain dated 29 July 2015, [POL00423293,
23 Email chain between Georgina Blair and Intouch dated July 2015 POL00423294],
Page 28 of 141
WITN11190100
WITN11190100
53. During this time, Post Office continued working on the draft whistleblowing policy and
I have seen various revisions to the draft, worked on by Georgina Blair and Nisha
Marwaha (Employment Lawyer). I note that version 0.4 of the draft [POL00423327]
states that "the term ‘Worker’ is used throughout this policy to refer to Post Office
employees, officers, consultants, contractors, casual workers and agency workers.
This policy applies to Workers; it does not apply to Subpostmasters (i.e. agents,
operators) and their assistants".°°
54. Post Office tracked whistleblowing reports from at least June 2015 including details
of the reporter and subject type. It appears that Postmasters and their agents made
reports, and these appear to have been investigated under the whistleblowing
procedures which shows that policy may not have reflected practice.
55.1 have seen a document called ‘Internal Audit Risk and Compliance Committee
Report, September 2015' [POL00423307]. This contains an update on an internal
audit on Financial Crime, with two of the key findings having a potential link to
Speaking Up, being “staff are not clear on where and how to report suspicions or
concerns” and “effective mechanisms to prevent and detect fraud and corruption are
not incorporated into policies, procedures and systems.” One of the findings in the
longer form report relates to “roles and responsibilities with respect to financial crime
risk management”, with an action to “develop framework of anti-fraud policies and
procedures across the business...[and]...raising awareness of fraud risks and
developing mechanisms to maximise the opportunities for fraud risk reporting...[as
®° Page 4, Draft Whistleblowing Policy, Version 0.4, [POL00423327].
Page 29 of 141
WITN11190100
WITN11190100
well as]...responding to Speak Up and other concerns raised with management.”
Another of the findings was on “reporting of suspicious activity and investigation
processes,” where it is noted that “the Risk team is responsible for the development
and maintenance of the Speak Up Policy, framework and high level processes to
support it. We noted that a framework has not yet been developed and staff
awareness of high level process has not been tested. There is also no formal link
into the Head of Security — Fraud Risk team (responsible for investigation of
suspicions). However, there is a proposal to move the monitoring of the Speak Up
(whistleblowing) line to Grapevine for business efficiency purposes.” There are also
some ‘maintenance’ observations regarding the “number within the Speak Up Policy
was for RMG rather than PO...the script used was for RMG...[and]...the intranet
page and Speak Up Policy offers an online web reporting service, however the link
referred users to the RMG portal rather than PO.” A lack of formal training to support
the Policy, the Policy's location on the intranet, no overall GE owner, the Policy not
applying to all and no reported suspicions of fraud via the hotline in the past 18
months were also all observations made.
2016
56.0n 5 May 2016, an executive summary decision paper [POL00423355] was
prepared to update the Risk and Compliance Committee on the operation of
whistleblowing procedures in Post Office over the past year®’. The paper concludes
with the following update:
(a) The whistleblowing policy has been updated and is presented for approval.
*" Executive summary decision paper dated 5 May 2016 [POL00423359).
Page 30 of 141
WITN11190100
WITN11190100
(b) The whistleblowing procedure is operating but needs to be publicised more.
(c) Seven reports were received which was more than last year, where a total of
three were received.
(d) Implementation of the updated policy will require training and awareness
activities. ARC will be updated on the operation of the policy and procedures
annually in March.
There was also a review of the RCC terms of reference [POL00423383] which noted
that no whistleblowing report was provided in 2015/16 and that the next one would
be provided in May 2016.
57.Post Office finalised a revised whistleblowing policy in April 2016 (v1.4)
[POL00423366],*? with minor amendments made in June (v.1.5) [POL00413463]?
and then September 2016 (v.1.6) [POL00423394].** As version 1.6 appears to have
been the last version, and was effective from 19 May 2016, I set out below a
summary of the content of that version:
(a) The GE Sponsor is Jane MacLeod (General Counsel), the Policy Owner & Policy
Implementor Nisha Marwaha (Employment Lawyer), and the Policy Approver
RCC/ARC. It is stated that ARC has a standing agenda item for whistleblowing.
It is also stated that the General Counsel is accountable to the Board and the
principal employment lawyer is accountable to the General Counsel, and that the
"General Counsel provides an annual summary of reports made via the Speak
“Post Office Whistleblowing Policy (v1.4), 27.04.2016, [POL00423366); I note that this version of the policy was approved by ExCo on
5 May 2016 and ARC on 19 May 2016. Subject to minor amendments, it is substantially the same as v.1.6.
% Post Office Whistleblowing Policy (v1.5), 10.06.2016[POL00413463}
* Post Office Whistleblowing Policy. (v1.6), 29.09.2016 [POL00423394),
Page 31 of 141
WITN11190100
WITN11190100
Up line and other known instances of Whistleblowing to (i) the Post Office Board
and the Post Office Management Services Board as appropriate, and (ii) the Post
Office Board Audit and Risk Committee... any serious concerns reported by
Whistleblowing will be escalated by the Whistleblowing Officer to the Chairman
of the Post Office Board Audit and Risk Committee".°> Review and assessment
of compliance with the policy is stated to sit with the RCC.%
(b) The policy states that the General Counsel was the policy owner with "overall
accountability to the Group Executive and the Board for ensuring that Post Office
has appropriate controls in place to meet its Whistleblowing obligations". \t states
that ARC considers whistleblowing as a regular agenda item and "the Post Office
board is updated on a regular basis"°”. It states that "the Board is kept abreast of
relevant matters relating to the Whistleblowing by reports from its committees
including its ARC committee"*®.
(c) The purpose of the policy was to: "encourage the reporting of suspected
wrongdoing and/or dangerous practices...within Post Office, to make it easier for
management to address those concerns and therefore avoid serious accidents,
fraud, regulatory breaches, financial impropriety and/or reputational damage"*?.
(d) The aims of the policy are as follows:"(1) to encourage staff to report matters as
soon as possible in the knowledge that their concerns will be taken seriously and
investigated, and that confidentiality will be respected,(2) to provide staff with
guidance as to how to raise those concems, and (3) to reassure staff that they
°5 Page 11, Post Office Whistleblowing Policy (v1.6), 29.09.2016 [POL00423394)
% Page 11, Post Office Whistleblowing Policy (v1.6), 29.09.2016 [POL00423394)
7 Page 4, Post Office Whistleblowing Policy (v1.6), 29.09.2016[POL00423394)
% Page 11, Post Office Whistleblowing Policy (v1.6), 29.09.2016 [POL00423394)
%° Page 4, Post Office Whistleblowing Policy (v1.6), 29.09.2016[POL00423394)
Page 32 of 141
WITN11190100
WITN11190100
should be able to raise concerns without fear of reprisals, even if they turn out to
be mistaken".
(e) I note that this policy does not clearly specify who the policy applies to: the policy
uses the terms "staff" and "worker" when referencing whistleblowing reporters
but does not define these terms and there is no further explanation given on who
falls within the scope of the policy.
>
The policy introduces the concept and role of a Whistleblowing Officer (WO)*! as
a senior focal point for whistleblowing concerns and sets out the process in which
the WO handled reports. Jane MacLeod is stated to be the WO. The policy states
that all reports would be passed onto the WO, who then decided what should be
investigated and by whom (and whether these investigations should be
conducted by internal or external resources). It states that the investigator "should
be an individual at an appropriate level for the matter under investigation" and
without any conflicts‘?. Of note is that in the policy the reader is told that a reporter
may be “required to attend meetings to provide further information”*®.
(g) The policy defines whistleblowing, how to raise a concern, and provides contact
details of the WO and the Speak Up service. In addition, it outlines the approach
to confidentiality around reporters and anonymous reporting. Specifically, it notes
that Post Office will make "every effort to keep their identity secret"
(h) In the section called 'how to raise a concern’, it is noted that workers should raise
a concern with their line manager, or senior HR at Post Office, or the WO directly.
* Pages 4-5, Post Office Whistleblowing Policy (v1.6), 29.09.2016 [POL00423394)
*' Page 7, Post Office Whistleblowing Policy (v1.6), 29.09.2016[POL00423394)
* Page 8, Post Office Whistleblowing Policy (v1.6), 29.09.2016[POL00423394)
* Page 8, Post Office Whistleblowing Policy (v1.6), 29.09.2016 [POL00423394)
“ Page 7, Post Office Whistleblowing Policy (v1.6), 29.09.2016[POL.00423394)
Page 33 of 141
WITN11190100
WITN11190100
Otherwise, a worker could contact Speak Up, run by InTouch. I note that, unlike
in the 2012 policy, the InTouch weblink was for Post Office:
http://www.intouchfeedback.com/postoffice rather than Royal Mail.
The policy states that the investigator "should consider the principles set out in
Post Office's internal investigations policy and adhere to those principles
wherever possible when undertaking the investigations. I also note that the
policy states "Post Office has a statutory obligation to protect Whistleblowers and
will support workers who raise genuine concerns under this Policy, even if they
turn out to be mistaken"‘* but that "If Post Office concludes that a Whistleblower
has made false allegations maliciously or with a view to personal gain, the
whistleblower will be subject to disciplinary action"*”.
S
The policy states that the investigator will share a copy of the investigation report
with the WO and outcomes will be reported to the ARC. The policy also states
that workers can make external disclosures (i.e. to the FCA) for matters related
to financial services and signposts to Public Concern at Work for information on
other regulatory bodies.
58.1 have seen a policy called 'Post Office Group Investigations Policy’ [POL00423383]
v.1 dated 28 September 2016, which appears to have sat alongside the
Whistleblowing Policy to give guidance to investigators“. It states that the General
Counsel has overall accountability for the policy and that ARC considers
investigations and related matters as an agenda item. It states that Post Office's
“5 Page 9, Post Office Whistleblowing Policy (v1.6), 29.09.2016[POL00423394)
* Page 10, Post Office Whistleblowing Policy (v1.6), 29.09.2016 [POL00423394).
*7 Page 9, Post Office Whistleblowing Policy (v1.6), 29.09.2016[POL00423394)
* Post Office Group Investigations Policy dated 28 September 2016 [POL00423383).
Page 34 of 141
WITN11190100
WITN11190100
Board was updated, as necessary. The purpose of the policy is "to provide key
principles for individuals to consider and use where necessary when conducting
internal investigations" and that it should be read in conjunction with other policies.
An investigation is defined as "the act or process of investigating someone or
something". It specifies that an investigator would need to "identify if there are any
other applicable existing Post Office procedures. For example, Whistleblowing..."49.
It states in broad terms that investigators should identify who is responsible for the
investigation, consider the sensitivity and confidentiality requirements, consider who
should or should not be informed prior to commencing the investigation, and to take
legal advice if required. Again, in broad terms it states that the following principles
should be applied when investigating: confidentiality; fairness; objectivity;
transparency; and ‘decision making’ which encompasses gathering information
required, preparing a report and considering who needs to see the report (noting that
for whistleblowing it may not be appropriate to share outcomes / findings)5°.
2017
59. During this time, senior staff from across Post Office conducted the investigations
resulting from whistleblowing reports. An undated word document titled
‘Whistleblowing - high level investigation process and lifecycle’ [POL00423663]
appears to lay out the process adopted at this time for logging reports and allegations
from employees, Postmasters, Agent Assistants, or members of the public. It was
acknowledged in the document that these reports did not all fall within the definition
of whistleblowing, but this audience set demonstrates that Post Office intended to
“° Page 6, Post Office Group Investigations Policy dated 28 September 2016[POL00423383}
© Pages 6-7, Post Office Group Investigations Policy dated 28 September 2016[POL00423383}
Page 35 of 141
WITN11190100
WITN11190100
secure as much information as possible about risk. The same document describes
in more detail than previously seen the stages of the Speak Up process, as follows:
(a) Acknowledge receipt of the report;
(b) Log report on a spreadsheet within 24 hours during the working week;
(c) Set up a folder for each report to store documents and communications;
(d) “Sensitive, serious or repeat” reports were sent to WO for instructions as to who
should investigate; and
(e) Consideration was to be given to a form of tick-box investigation management
plan that was included in the document, including:
(i) How to assign a case to a business-based investigator,
(ii) The diarising of chasers for updates,
(iii) A review of the outcome of the investigation,
(iv) Consider the appropriateness of actions,
(v) Close the case,
(vi) Give feedback to the reporter,
(vii) Include in the monthly MI, and
(viii) Any material issues to be escalated to RCC/ARC.
60. Post Office revised its whistleblowing policy in September 2017 [POL00423451]>". I
summarise below the key content:
(a) The policy states, as in the 2016 version, that the General Counsel has overall
accountability to the Board for ensuring Post Office met its whistleblowing
obligations. As in the 2016 version, it states that "whistleblowing is an agenda
5* Post Office Group Policies - Whistleblowing Policy (v2), 25.09.2017 [POL00423451).
Page 36 of 141
WITN11190100
WITN11190100
item for the Audit and Risk Committee and the Post Office board is updated as
required"**. Unlike with the 2016 version, the General Counsel is also listed as
the policy owner (not an Employment lawyer). It states that ARC is responsible
for approving the policy and overseeing compliance, and that the Board is
responsible for setting the Group's risk appetite®*.
(b) The core principles of the policy are set out, replicating the 'aims' of the policy as
set out in 2016, and adding principles concerning oversight of the policy in line
with risk appetite and a training and awareness program to ensure employees
are aware of whistleblowing policy and procedure®?.
(c) It states that the policy applies to all employees in the Group and states that: "in
order to encourage reporting of wrongdoing, Post Office will, where appropriate,
extend equivalent protection to Postmasters, Agent Assistants, and members of
the public". In a footnote, 'employee' is defined as "permanent staff, temporary
including agency staff, contractors and anyone else working for or on behalf of
Post Office"®*. In a footnote it is stated that 'individuals' (who are raising a
whistleblowing concern) are defined as: "Postmasters, Agent Assistants,
members of the public and employees (permanent staff, temporary including
agency staff, contractors, consultants and anyone else working for or on behalf
of Post Office). The statutory protections offered under the Public Interest
Disclosure Act 1998 only apply to employees, however Post Office Limited will
consider extending these protections to other individuals where they have acted
® Page 3, Post Office Group Policies - Whistleblowing Policy (v2), 25.09.2017 [POL00423451].
© Page 14, Post Office Group Policies - Whistleblowing Policy (v2), 25.09.2017 [POL00423451).
Page 3, Post Office Group Policies - Whistleblowing Policy (v2), 25.09.2017 [POL004234511.
58 Page 3, Post Office Group Policies - Whistleblowing Policy (v2), 25.09.2017 [POL00423451].
® Page 3, Post Office Group Policies - Whistleblowing Policy (v2), 25.09.2017 [POL00423451).
Page 37 of 144
WITN11190100
WITN11190100
in good faith in raising concerns"®’. From this, I understand that Postmasters were
included within the scope of the policy (and given the equivalent of the protections
of PIDA 1998) if they raised a whistleblowing report in good faith. I note that this
is the earliest version of a Post Office whistleblowing policy that I have seen which
explicitly includes Postmasters.
(d) The policy states that Post Office is committed to respecting the confidentiality of
whistleblowers, including those who wish to remain anonymous. It is noted that
there was no obligation to provide personal contact information, but that not
providing it may reduce Post Office's ability to conduct a thorough investigation ®®.
(e) It is stated that the WO will review concerns raised and determine the best course
of action. Avenues for making a whistleblowing report are given as: the WO's
email address, the Speak Up line (run by InTouch) including a phone number and
the Post Office InTouch web link. It is stated that complaints can also be received
from a front-line team (customer complaints, NBSC and Grapevine, either written
or verbal) and that these reports, irrespective of method, would be passed onto
the WO®®. I note that contact details are provided for Grapevine, NBSC, Customer
Support Team and Executive Complains Team. This is a change from the 2016
policy.
(f) Further clarity is provided in this updated version on external disclosures and
gives the contact details for Public Concern at Work and contact details for
whistleblowing to the FCA, nothing that POMS is FCA regulated, and Post Office
57 Page 4, Post Office Group Policies - Whistleblowing Policy (v2), 25.09.2017 [POL00423451).
5° Page 5, Post Office Group Policies - Whistleblowing Policy (v2), 25.09.2017 [POL00423451].
®° Page 5, Post Office Group Policies - Whistleblowing Policy (v2), 25.09.2017 [POL00423451).
Page 38 of 141
WITN11190100
WITN11190100
is an appointed representative of the Bank of Ireland, and therefore individuals
could whistleblow directly to the FCA®.
(g) The policy states that all investigations must be carried out in accordance with
the Investigations Policy®'.
(h) A section of the policy contains information on risk appetite and minimum control
standards, which is an addition from the 2016 version®. I note the following which
are listed as minimum control standards in place for whistleblowing:
(i) Post Office has a nominated WO, and they must provide a report to the
RCC and ARC at least annually. Serious concerns must be promptly
escalated to the Chairman of ARC. All employees are trained on the policy.
(ii) Speak Up line reports are confidential, email inbox has restricted access,
confidentiality during the investigation must be protected and all incidents
of breaches escalated to the WO.
(iii) Training is provided to contact teams (Grapevine, NBSC, Customer
Support, Executive Complaints) to identify whistleblowing and
communications and awareness provided to all employees. Training is
also provided to people managers on induction, annual training is provided
to all staff and the Code of Business Standards must refer to the
whistleblowing policy (which new joiners get on induction).
(iv)Reporters are encouraged to provide full details and contact information,
if they are able to, and cases where no further action is taken due to lack
of information are monitored for trends.
© Page 6, Post Office Group Policies - Whistleblowing Policy (v2), 25.09.2017 [POL00423451).
Page 7, Post Office Group Policies - Whistleblowing Policy (v2), 25.09.2017 [POL00423451].
® Pages 8 — 11, Post Office Group Policies - Whistleblowing Policy (v2), 25.09.2017 [POL00423451).
Page 39 of 141
WITN11190100
WITN11190100
(v) WO must annually review the effectiveness of InTouch and the processes
operated by other contact teams.
61.In an email chain dated March 2017 [POL00423389] it is suggested that Post Office
were taking steps to encourage Postmasters to use Grapevine as a whistleblowing
service®: "Sharon is arranging for some comms to go out which reinforces that
agents and agent employees (who are not strictly covered in the same way as direct
employees), should report suspicions to Grapevine. We need to ensure that any
potential whistleblowing calls that Grapevine receive are flagged as such, not shared
with anyone else, and e-mailed each day to the whistleblowing inbox. This is
accessed by Jane on a daily basis, she will then log and deal or pass to myself or
the appropriate stakeholder if the matter is not strictly Whis tleblowing" and "when we
moved to the King’s Grapevine service (back in October/November 2012), it was
launched as a whistle blowing service for agents and their staff, and so it is just a
case of re-invigorating this, which John can achieve easily. We already get monthly
MI categorised by call types, so it will be very simple to include the data that Jane
has requested".
62. Subject to paragraph 62 below, Post Office has not been able to identify any further
materials during the time available for preparing this statement relating to the
reference to Postmasters being able to access King’s Grapevine in order to
whistleblow or any materials evidencing that the service was moved to King’s
Grapevine and/or promoted as a whistle blowing service for agents and their
°° Email chain between Sally Smith, Georgina Blair and others dated March 2017/POL00423389].
Page 40 of 141
WITN11190100
WITN11190100
staff. This comes despite various documents suggesting Grapevine may have been
contracted and/or used for whistleblowing purposes (for example, a draft services
agreement with POL from 2011 stating: 'The Services will extend and encompass
other associated activities which will evolve over time in support of Post Office's
security strategy i.e. a Whistleblower Confidential hotline etc' but I have not located
a signed copy to prove that this was taken forward). Communications regarding
Grapevine tends to focus on how its security functionality can assist Postmasters in
‘keeping safe’ and ‘tackling crime’ — see for example the 2008 v2 Post Office
Operations Manual [POL0043229] which provides that “all Post Office branch staff
with the information required to adopt good basic security practices to keep staff safe
from harm and Post Office assets secure”. Page 35 of this manual has information
on the “Grapevine Intelligence Service” which is stated as having been introduced
as a new crime-fighting initiative in association with all national Police forces — it
states that “Grapevine is a single point of contact for gathering crime -related
intelligence on a national local rate phone number...Front line staff can use the
number to report suspicious circumstances such as the following...product or service
fraud [and] suspected fraudulent activity, eg, counterfeit notes, suspicious
Debit/Credit card transactions.” Whilst the phone line is a reporting line, it is not a
Speak Up line per se. However, as mentioned elsewhere in this witness statement
(for example, see paragraph 31), it is unclear whether the Grapevine line was used
by Postmasters at this time for the purposes of Speaking Up.
Page 41 of 141
WITN11190100
WITN11190100
63.Connected to this, I have seen an updated document called 'Whistleblowing
Comms_v3' [POL00423388]*. It sets out the communications to be sent to Post
Office employees / workers, as opposed to agency branch staff. The update to the
employees / workers gives the contact details for the Speak Up service and InTouch.
The update for agency branch staff (the aim of which is to "address regulatory
requirement for branches to report concerns to the FCA") directs agents to report
whistleblowing concerns to Grapevine and gives the contact number. It also gives
the details for the FCA. It appears therefore that Post Office was encouraging staff
to use Speak Up / InTouch, and encouraging agents / Postmasters in branches to
use Grapevine
2018
64.Post Office revised its whistleblowing policy again in September 2018
[POL00423461]®. It is broadly similar to the 2017 version:
(a) In this version of the policy, the General Counsel remains policy sponsor and
policy owner, responsible for oversight of the policy. Again, it states that the ARC
is responsible for approving the policy and overseeing compliance (with the
Board responsible for setting the Group's risk appetite).
(b) In the minimum control standards, it continues to state that the WO must report
at least annually to the RCC and ARC, and that any serious whistleblowing
concerns must be promptly escalated to the Chair of the Post Office ARC®.
° Whistleblowing communications, Version 3 [POL00423388).
8 Post Office Group Policies - Whistleblowing Policy (v3), 29.09.2018, [POL00423461]
Page 8, Post Office Group Policies - Whistleblowing Policy (v3), 29.09.2018, POL00423461]
Page 42 of 141
WITN11190100
WITN11190100
(c) As in the 2017 version, this policy states that "in order to encourage reporting of
wrongdoing, Post Office will, where appropriate, extend equivalent protection to
Postmasters, Agent Assistants, and members of the public" and defines
employee as "permanent staff, temporary including agency staff, contractor,
consultants and anyone else working for or on behalf of Post Office"®’.
(d) Contact details are provided for the whistleblowing email address, and the Speak
Up line. It is noted that Expolink Europe Ltd (formerly InTouch) runs the reporting
service and the new link to the online web portal for Expolink is provided®.
(e) I note that there is a minor amendment to the minimum control section, which
expands who can receive confidential Speak Up line reports from just the WO, to
the WO and nominated deputies®.
2019
65.In 2019, a procedure document was prepared entitled ‘Whistleblowing Process v1.0’
(known as the "2019 Procedures") [POL00423657].”° This version is the first draft
and precursor to the 2020 Procedures (see paragraph 67 below). To summarise, the
procedures include:
(a) a summary of Post Office's commitment to whistleblowing;
(b) defines a report (including examples of whistleblowing and non-whistleblowing
reports) and detail on accessing and handling reports;
(c) explains the protections available, and how to raise a report;
(d) details the policy review process;
®7 Page 3, Post Office Group Policies - Whistleblowing Policy (v3), 29.09.2018, POL00423461]
® Page 5, Post Office Group Policies - Whistleblowing Policy (v3), 29.09.2018, POL00423461
® Page 11, Post Office Group Policies — Whistleblowing Policy (v3), 29.09.2018, POL00423467]
7° Whistleblowing Process v1.0, [POL00423657]
Page 43 of 141
WITN11190100
WITN11190100
(e) names the WO as the "owner" of the Whistleblowing Policy;
(f) includes communication and awareness plans to be published and delivered;
(g) explains how reports inform the business of concerns and effectiveness ;
(h) includes the results of a survey conducted between 8 February — 1 March 2019
identifying certain areas that need to be addressed regarding whistleblowing
communications and awareness training; and
(i) provides an overview of the activities undertaken in relation to whistleblowing
during the previous financial year.
66.In September 2019, Post Office revised its whistleblowing policy [POL00423603]"'.
Again, it is broadly similar to the previous version, and I briefly summarise the content
below:
(a) There are minor amendments to the introductory wording in the core principles
section, which states that: " Whistleblowing" refers to the act of exposing potential
or actual wrongdoing and/or dangerous practices by reporting it either internally
within an organisation, or to an external party. A whistleblower is a person who
raises a genuine concern in relation to any wrongdoing, this includes criminal
activity, regulatory breaches, miscarriages of justice, damage to the environment,
financial impropriety, reputational damage, any breach of legal or professional
obligations, dangers to health and safety and the deliberate attempt to conceal
it'?.
(b) I note that this policy may expand the WO's role, by stating that the WO "is a/so
responsible for identifying key trends or issues, and providing assurance to the
7 Post Office Group Policies - Whistleblowing Policy (v4), 19.09.2019 POL00423603).
” Page 3, Post Office Group Policies - Whistleblowing Policy (v4), 19.09.2019 POL00423603},
Page 44 of 141
WITN11190100
WITN11190100
Board that the policy is complied with" (as it was not specified in the 2018 version
that this was the WO's responsibility)’>.
(c) The following is also an addition from the 2018 version: "/n order to encourage
reporting of wrongdoing, Post Office will, where appropriate, and to the extent
possible, follow equivalent principles to encourage, receive and investigate
incidents of whistleblowing by Postmasters, Agent Assistants, and members of
the public and will not subject any such persons to any detriment (including the
termination of any contract or relationship with Post Office) for raising a genuine
whistleblowing concern in an appropriate manner"’*. Although the 2017 Policy
refers to Post Office Limited extending the protections under PIDA to other
individuals where they have acted in good faith in raising concerns, this is the first
version of the policy I have seen which specifically mentions that Postmasters
would not be subject to termination of a contract, by way of example, and that
specifies Post Office would use equivalent procedures for Postmasters.
(d) I also note the following addition, which confirms that confidentiality clauses in
settlement agreements do not prevent a member of staff from whistleblowing:
"Where a member of staff is subject to a Post Office settlement agreement, any
clauses within it will not prevent the member of staff from whistleblowing. This
should in any event be made clear by the terms of the settlement agreement itself
and staff should receive independent advice in relation to those terms when
entering into a settlement agreement"’®.
7 Page 5, Post Office Group Policies - Whistleblowing Policy (v4), 19.09.2019 POL00423603},
74 Page 4, Post Office Group Policies - Whistleblowing Policy (v4), 19.09.2019 POL00423603,
75 Page 4, Post Office Group Policies - Whistleblowing Policy (v4), 19.09.2019 POL00423603},
Page 45 of 141
WITN11190100
WITN11190100
(e) I also note that this version of the policy states that "where a report received is
anonymous, whistleblowers will not ordinarily be able to receive feedback and
details of action taken by Post Office may be limited"’®.
2020
67. Post Office revised its whistleblowing policy on 27 July 2020 [POL00030903]’’. I note
as follows on its content:
(a) This version of the policy continues to specifically include Postmasters: "/n order
to encourage reporting of wrongdoing, Post Office will, where appropriate, and to
the extent possible, follow equivalent principles to encourage, receive and
investigate incidents of whistleblowing by Postmasters, Agent Assistants, and
members of the public and will not subject any such persons to any detriment
(including the termination of any contract or relationship with Post Office) for
raising a genuine whistleblowing concern in an appropriate manner'”®.
(b) I note that a minor addition is made in this version to confirm that the WO will" at
the earliest opportunity" address any victimisation against a whistleblower’®.
(c) I also note that the Speak Up weblink has been updated, as it is in this version
'Ethicspoint' provided by Navex (http://postoffice.ethicspoint.com/) ®°.
(d) The minimum controls section is also slightly amended, to include two corrective
controls for receipt and investigation of whistleblowing reports: "The
Whistleblowing Officer must escalate Whistleblowing reports to the appropriate
Investigating manager for investigation to take place. The nominated
79 Page 6, Post Office Group Policies - Whistleblowing Policy (v4), 19.09.2019 POL00423603).
7” Post Office Group Policies ~ Whistleblowing Policy (v5), 27.07.2020 POL00030903}
78 Page 3, Post Office Group Policies - Whistleblowing Policy (v5), 27.07.2020 POL00030903},
79 Page 4, Post Office Group Policies - Whistleblowing Policy (v5), 27.07.2020 [POL00030903},
© Page 15, Post Office Group Policies ~ Whistleblowing Policy (v5), 27.07.2020 [POL00030903}
Page 46 of 141
WITN11190100
WITN11190100
Investigating manager responsible for conducting the investigation must report
the findings back to the Whistleblowing Officer'®'.
(e) In the definitions section, the Branch Support Centre (BSC) replaces NBSC in
the 2019 version. I note that the contact number for BSC is different, but the
contact email address is the same as for NBSC®.
68.A document called 'Whistleblowing Process’ was finalised after the approval of the
2020 whistleblowing policy [POL00423530]**. I summarise the key content of
[POL00423530]**. Key changes in the 2020 Procedures (signed off on 26 October
2020) as follows:
(a) The definition of whistleblowing amends the 2019 wording to include misconduct
and refers to the statutory duty on Post Office not to subject staff to any detriment
or dismiss them for whistleblowing.
(b) Qualifies the support to be provided to Postmasters, Agent Assistants and
members of the public; the words "will seek to provide equivalent protection" in
the 2019 Procedures are replaced with "where appropriate, and to the extent
possible, follow equivalent principles."®°
(c) Outlines the requirement to protect the confidentiality of all whistleblowers but
states it may be necessary to share the whistleblower’s identity with a relevant
stakeholder.
® Page 10, Post Office Group Policies ~ Whistleblowing Policy (v5), 27.07.2020 [POL00030903}.
® Page 14, Post Office Group Policies ~ Whistleblowing Policy (v5), 27.07.2020 [POL00030903}
® Post Office Whistleblowing Process (v2), October 2020[POL00423539}
* Post Office Whistleblowing Process (v2), October 2020[P0L00423539)
® Post Office Whistleblowing Process (v2), October 2020[POL00423539)
Page 47 of 141
WITN11190100
WITN11190100
(d) Post Office's General Counsel is named as having overall accountability to the
Board of Directors for the implementation of controls ensuring that Post Office
meets its whistleblowing obligations.
(e) Briefly covers accessing the Speak Up Line and EthicsPoint portal, though does
not provide step-by-step guidance. The EthicsPoint portal replaces the Speak Up
portal referred to in the 2019 Procedures.
(f) Individuals are able to make whistleblowing reports via calls to the BSC Executive
Correspondence team (when they were previously made to NBSC); and
(g) NAVEX Global (formerly Expolink Europe Limited) and InTouch MCS Ltd are
contracted to provide the external reporting telephone hotline and web portal.
69. The 2020 Whistleblowing Process document also states as follows:
(a) The whistleblowing log spreadsheet (located on the whistleblowing teams site)
must be constantly updated and ensure a clear audit trail for each report®.
(b) Each report must be reviewed to determine priority. If considered sensitive,
serious, repeat (potential trend), this would be referred to the Whistleblowing
Officer for guidance on who should undertake the investigation. Once the
appropriate business unit had been identified, then the report would be assigned
to the relevant Group Executive (GE). In most cases, the GE member would then
appoint the relevant person within their area to conduct the investigation ®”. It is
stated that some types of reports can go to a Senior Manager, rather than GE
member, including: reports of fraud / theft (to go to assigned to the Head of
Security;); reports of Postmasters contractual breaches (to go to Head of
® Page 10, Post Office Whistleblowing Process (v2), October 2020 [POL00423539)
* Page 11, Post Office Whistleblowing Process (v2), October 2020 [POL00423539)
Page 48 of 141
WITN11190100
WITN11190100
Security, Safety and Loss Prevention); and reports of bullying / harassment (to
go to Employee Relations and Policy Director).
(c) Appendix C records the results of the survey which ran from 8 February to 1
March 2019. 93% of respondents understood the meaning of whistleblowing;
52% said they did not know or were not sure where the whistleblowing policy
was; 93% understood they should contact Speak Up service if they could not
approach their line manager; 96% knew what Speak Up service was; 79% knew
that whistleblowing reports would be passed to the WO; and 96% said that Post
Office was committed to respecting confidentiality and anonymity. However,
various quotes from respondents state that there was confusion as to the
difference between Speak Up and whistleblowing, and that there was still fear of
detrimental treatment, which prevented reports being made®®.
70. It is noted that the Postmaster Support Guide published in July 2020 [POL00423558]
[POL00423507, slide 20] (with metadata showing a date of 12 June 2020) refers
Postmasters to the Speak Up line. In March 2021, Post Office introduced a
Postmaster Onboarding Policy, which also refers to the whistleblowing line
[POL00423559].
2021
71.A Whistleblowing Working Group was also established by the Group General
Counsel in January 2021, in his capacity as Whistleblowing Officer, in order to review
the policies and procedures and make any changes with appropriate sign off then
°° Pages 23 — 28, Post Office Whistle blowing Process (v2), October 2020 [POL0042353Q,
Page 49 of 141
WITN11190100
WITN11190100
taking place. I understand that the working group was disbanded when this work
concluded. I note from a spreadsheet called 'Whistleblowing working group actions
and updates' dated 2 February 2021 [POL00423689] that key actions taken by the
Working Group are summarised below:®?
(a) Consideration was given to ensure alignment between the Whistleblowing Policy,
the Postmaster Complaints Policy and the Group Investigations policy.
(b) The creation of a centralised Postmaster Complaints dashboard which captured
MI about complaints from Postmasters via various channels. This was viewed
alongside the Whistleblowing MI dashboard to ensure Postmaster complaints
requiring whistleblowing investigation were captured within whistleblowing
reporting. A dedicated dashboard for Postmaster whistleblowing was also
contained within the Whistleblowing Dashboard.
(c) The creation of a Whistleblowing Champion role by the appointment of a Non-
Executive Director to that role to replace the Group General Counsel as
Whistleblowing Officer. This was intended to mitigate against any conflict of
interest arising from his dual roles.
(d) An external whistleblowing advocate organisation, Protect,°° ran a training
workshop attended by Post Office’s General Executive team, senior managers,
and the whistleblowing team in January 2021, and a new module on
whistleblowing was developed and rolled out to Post Office employees on 15
March 2021.
(e) Improvements to communications within Post Office and to Postmasters were
made, highlighting available access to whistleblowing.
® POL Whistleblowing working group actions and updates dated 2 February 2021 POL00423689)
® Protect, https://protect-advice. org. uk’
Page 50 of 141
WITN11190100
WITN11190100
(f) Enhanced project management around whistleblowing reports was created to
track and monitor postmaster reports.
72.Post Office assessed its whistleblowing arrangements using a self-assessment tool
from Protect. The benchmarking report is dated 18 February 2021 [POL00423542]
and it gave Post Office a score of 46% overall. In respect of Post Office's written
policies and procedures, Post Office received a score of 86% with no specific
recommendations for improvement®!. A summary of the other scores is set out as
follows:
(a) Accountability: 61%
(b) Review and reporting: 59%
(c) Communications: 30%
(d) Training: 8%
(e) Operations: 36%
(f) Support and protection: 41%
(g) Recording and investigation: 56%
(h) Resolution and feedback: 18%
73. The changes to the policy were set out in the policy review section of the
'Whistleblowing Policy Review & Report’ [POL00423545], dated 30 March 2021, to
ARC. It is stated in this report that: "whilst the policy and process were intended to
cover employees and the protections afforded to them under the law, reports have
historically been received from postmasters, their teams, customers and the general
% Page 8, Protect Whistleblowing Report [POL00423542]
Page 51 of 141
WITN11190100
WITN11190100
public, and these reports have always been investigated and managed under the
whistleblowing policy’. \t is also stated that "to date, Post Office has not had any
material reports, or found evidence of significant or material (or disclosable)
wrongdoing through the whistleblowing channel".
74.1 note the content of the 14 May 2021 policy [POL004 13444] as follows:
(a) The policy states that "the MLRO & Head of Financial Crime and the Group
Compliance Director have overall accountability to the Board of Directors to
oversee that a positive whistleblowing culture is proactively encouraged
throughout Post Office and the current arrangements are challenged and
assessed for areas of continuous improvement. The Policy Sponsor and Owner
are accountable for the implementation of controls ensuring Post Office meets
its Whistleblowing obligations. Whistleblowing is an agenda item for the Audit and
Risk Committee and the Post Office Board is updated as required"®®.
(b) The policy introduces the Whistleblowing Procedures to be used in conjunction
with the policy: "the Policy and associated procedures for use by those handling
whistleblowing reports (the “Whistleblowing Procedures’) (set out in this
document where relevant) are proportionate to the risks and complexity of the
Group". A footnote states that the Procedures would be provided internally to
those handling Whistleblowing reports. The Core Principles are also amended to
include: "Post Office will treat Whistleblowing disclosures consistently, fairly,
appropriately and professionally’.
® Page 5, Whistleblowing Policy Review and Report dated 3 March 2021[POL00423545}
® Page 3, Post Office Group Policies - Whistleblowing Policy (v6), 14.05.2021 POL00413444)
% Page 3, Post Office Group Policies Whistleblowing Policy (v6), 14.05.2021 POL00413444)
% Page 3, Post Office Group Policies - Whistleblowing Policy (v6), 14.05.2021 POL00413444)
Page 52 of 141
WITN11190100
WITN11190100
(c) The definitions of employee and staff are brought into the body of the text, in the
definitions section, as follows: “Employee” and “Staff” means an individual who
has entered into or works under (or, where the employment has ceased, worked
under) a contract of employment or any other relevant contract, as defined in
sections 230(2) and (3) of the Employment Rights Act 1996, with Post Office or
the Group or is defined as a “worker” under section 43K Employment Rights Act
1996"©. In the Application section, the policy confirms that the policy applies to
staff and also (as in the previous versions) "in order to encourage reporting of
wrongdoing, Post Office will, where appropriate, and to the extent possible, follow
equivalent principles to encourage, receive and investigate incidents of
Whistleblowing by Postmasters (whether limited companies, partnerships, limited
liability partnerships or individuals), Agent Assistants, and members of the
public"’”.
(d) The definition of whistleblowing is clarified (in line with legislation) and the section
on how to report is expanded, to include the contact details of Post Office's main
reporting mechanisms plus Grapevine, BSC, Customer Support Team and
Executive Correspondence Team, which was previously in the definitions
section. Notably, the policy includes a section which clarifies that the
whistleblower does not need to provide evidence for Post Office to look into the
concerns raised and clarifies that reports can be made openly, confidentially or
anonymously (noting that "without certain details, it may not be possible to
% Page 4, Post Office Group Policies - Whistleblowing Policy (v6), 14.05.2021 POL00413444)
*” Page 4, Post Office Group Policies - Whistleblowing Policy (v6), 14.05.2021 POL00413444)
Page 53 of 141
WITN11190100
WITN11190100
investigate a report as thoroughly and/or provide feedback on the progress or
outcome of the investigation")°*.
(e) The policy includes a section on the difference between whistle blowing and other
complaints, with examples of both®?.
(f) Another significant addition to this policy is the section on the Whistleblowing
Champion (a Non-Executive Director), who has "responsibility for ensuring and
overseeing then integrity, independence and effectiveness of this Policy and
procedures on Whistleblowing including those policies and procedures intended
to protect Whistleblowers from being victimised because they have made a
disclosure that constitutes Whistleblowing" and responsibility for overseeing:
(i) A positive whistleblowing culture is proactively encouraged throughout
Post Office.
(ii) The current arrangements are challenged and assessed for areas of
continuous improvement and best practice.
(iii) Whistleblowers are always supported and protected when raising a
concern.
(iv) Barriers to speaking up are uncovered and addressed.
(v) The Whistleblowing team, senior managers and leaders receive training
on the importance of Whistleblower support.
(vi)Root cause analysis is undertaken for all cases and issues, so that
continual improvements can be made in the relevant areas’.
%° Pages 5 — 6, Post Office Group Policies— Whistleblowing Policy (v6), 14.05.2021 POL00413444]
% Page 6, Post Office Group Policies Whistleblowing Policy (v6), 14.05.2021 POL00413444)
1® Page 8, Post Office Group Policies - Whistleblowing Policy (v6), 14.05.2021 POL00413444)
Page 54 of 141
WITN11190100
WITN11190100
(g) The policy confirms that the management of reports sits with the Money
Laundering Reporting Officer and Head of Financial Crime, via the
Whistleblowing Manager (and deputies) who receive all reports raised regardless
of channel. It states that the Whistleblowing Manager is responsible for the policy,
identifying key trends and issues, and providing assurance to the Board the policy
is complied with'*'.
(h) It states, as the previous versions did, that investigations will be carried out in line
with the Investigations Policy which "sets out specific Whistleblowing
considerations for investigations". It states that, in respect of anonymous reports,
feedback will not ordinarily be given but that it could be sought through a
telephone appointment or by using an anonymous email address‘.
(i) Further information is given in the External Disclosures section, which includes
sources of advice (Government, Trade Unions, and ACAS), and provides contact
details for the Prudential Regulation Authority which can accept whistleblowing
reports, in addition to the FCA 1°.
(j) The new roles of Whistleblowing Champion and Whistleblowing Manager is
added into the minimum controls section. Also new minimum controls are
included in respect of line managers and support available to whistleblowers:
(i) Employees and staff should be made aware of the multiple ways to
disclose a report (and that they can be anonymous);
(ii) Training must be provided to line managers on induction as manager and
on appointment to Post Office; and
19! Page 8, Post Office Group Policies - Whistleblowing Policy (v6), 14.05.2021 POL00413444)
1® Page 8, Post Office Group Policies - Whistleblowing Policy (v6), 14.05.2021 POL00413444)
1% Pages 9 - 10, Post Office Group Policies — Whistleblowing Policy (v6), 14.05.2021 [POL00413444).
Page 55 of 141
WITN11190100
WITN11190100
(iii) Feedback should be taken from reporters throughout the investigation to
monitor that they feel supported and protected by Post Office 1%.
75. Again, whilst this is beyond the relevant timeframe for this Rule 9 request, I briefly
note for completeness that a number of changes to the Speak Up function have been
made since June 2021. These include:
(a) Post Office’s first dedicated Whistleblowing Manager was recruited in May 2021,
with two dedicated investigators joining the team in late 2021. Protect conducted
a second assessment of Post Office's whistleblowing function, which reported a
score of 80% on 30 November 2021 [POL00423615]'%.
(b) In August 2021, KPMG undertook a review of Post Office’s investigations process
to establish whether its decentralised model was effective, especially in relation
to high-risk cases and to consider the best model for investigations going forward
[POL00423697]'®. This included investigations originating from whistleblowing
information. The review found that there was limited central oversight and a lack
of overarching consistency over how investigations are undertaken and recorded
within Post Office. This observation was applicable to investigations that were
commenced due to receiving information from a whistleblower or whistleblowers.
A number of recommendations were made to introduce a centralised approach
to investigations, triaging, and consistency in reporting.
(c) In September 2021, following this review, GE approved the setting up of the CIU
and following my appointment in February 2022 as the Head of CIU, the
1% Page 16, Post Office Group Policies - Whistleblowing Policy (v6), 14.05.2021 [POL00413444)
195 Protect Report dated 30 November 2021 POL00423619,
1% KPMG Investigations Process Review [POL00423697].
Page 56 of 141
WITN11190100
WITN11190100
whistleblowing function and its three staff migrated from Financial Crime to CIU.
I report to the Group Legal Director.
(d) In November 2021, a further self-assessment using Protect was completed. The
report, dated 30 November 2021, gave Post Office a score of 80%
[POL00423615}""”.
D. Escalation and Reporting Processes within the Board or involving the Board
76. This section of the witness statement addresses escalation and reporting processes
within the Board or involving the Board. Escalation in this context means the way
that a serious incident / report would be communicated up within the business to
appropriately senior level of management. Reporting in this context refers to data
and management information gathered on whistleblowing reports (rather than the act
and process of making a whistleblowing report).
77.As explained in Ms Scarrabelotti's First, Second and Third witness statements to the
Inquiry, Post Office has limited corporate records for the period prior to 2012. As
such, my comments on escalation and reporting processes in this Section D are
mainly restricted to the period following separation in 2012.
D1 Whistleblowing Responsibilities
78.1 first set out the Board and Strategic Executive Group ("SEG") level committees that
have whistleblowing responsibilities, as follows.
1" Protect Report dated 30 November 2021 POL00423615)
Page 57 of 141
WITN11190100
WITN11190100
Board
79.1 have seen the Board Terms of Reference from January 2013 [POL00362127],
which state that (amongst other things) the Board is collectively responsible for
establishing a proper governance framework to manage and monitor risk. Approval
of Group policies, which includes the whistleblowing policy, is specifically reserved
for Board decision. I have also seen the Board Terms of Reference from February
2015 [POL00362178] which continues to state that the Board is responsible for the
approval of Group policies, including the whistleblowing policy. Further versions of
the Board Terms of Reference have also been reviewed [POL00362191] and
[POL00423415]. On the face of it, they appear undated, however, the metadata
contained within Relativity indicates that they are dated July 2016 and November
2018, respectively. These versions continue to state that the Board has overall
responsibility for the approval of governance policies, including the whistleblowing
policy. The Board Terms of Reference state that the Board may delegate authority
for some of its responsibilities to a Board Committee and this is indicated with an
asterisk; the responsibility which mentions whistleblowing does not contain an
asterisk.
80.As part of the searches undertaken for this witness statement, Board minutes and
meeting packs have been reviewed. There are some references within the minutes
of the Board to it noting the minutes of ARC meetings which contained
whistleblowing updates (as set out below). It is also noted that notwithstanding
paragraph 78 above, the ARC appears to have taken on responsibility for revieing
the whistleblowing policy annually (see paragraph 82 below).
Page 58 of 141
WITN11190100
WITN11190100
Audit and Risk Committee ("ARC")
81.The ARC is a committee of the Post Office Board formed post separation in 2012.
The Group Chief Executive, the Group Chief Financial Officer, the Group General
Counsel, the Head of Risk, the Director of Compliance, and the Head of Internal
Audit are permanent invitees of the ARC. The external auditors and any internal audit
co-source partners may attend all or part of any ARC meeting at the invitation of the
ARC Chair. As a minimum, the external auditors will attend to present their external
audit plan for approval and to present their reports.
82.1 have seen ARC Terms of Reference from March 2014 [POL00362136], which state
that it will oversee the RCC's activities and receive summary reports as appropriate
and will "review with the internal auditors and the external auditors the results of any
review of the compliance with the Company's codes of ethical conduct and similar
policies including whistleblowing™®. It states that the ARC will "ensure lines of
communication are maintained with the Board". In the Appendix it states that the
ARC will review the Ethics and Code of Conduct and whistleblowing policy each
February’'°. I have also seen the ARC Terms of Reference from September 2015
(which I believe to be a final version, although it is not entirely clear from the face of
the document) [POL00423345], which continue to state that the ARC will oversee
the RCC's activities and receive summary reports as appropriate; ensure lines of
communication are maintained with the Board; and will review with the internal
auditors and the external auditors the results of any review of the compliance with
18 Page 5, ARC Terms of Reference dated March 2014 [POL00362136].
1 Page 2, ARC Terms of Reference dated March 2014 [POL00362136],
"© Page 6, ARC Terms of Reference dated March 2014 [POL00362136).
Page 59 of 141
WITN11190100
WITN11190100
the Company's codes of ethical conduct and similar policies including
whistleblowing.'"' The ARC Terms of Reference from April 2020 [POL00423503]
were further slightly amended, with key content as follows:
(a) "Review with the internal auditors and the external auditors the results of any
review of the compliance with the Company’s codes of ethical conduct and similar
policies including whistleblowing"
(b) "Review at least annually the adequacy and security of the Company’s
arrangements for its employees and contractors to raise concerns, in confidence,
about possible wrongdoing in financial reporting, regulatory breaches or other
matters. The Committee shall determine that these arrangements allow
proportionate and independent investigation of such matters and appropriate
follow up action"""?.
(c) "The Chair shall report formally to the Board on its proceedings after each
meeting on all matters within its duties and responsibilities and shall also formally
report to the Board on how it has discharged its responsibilities"""*.
(d) "Monitor the Risk and Compliance Committee activities and receive summary
reports as appropriate"’™®.
83.The meeting of ARC on 13 November 2012 refers to there being an intention to
review the whistleblowing policy on an annual basis [POL00423234].
'' Page 4, ARC Terms of Reference dated September 2015 [POL00423345).
"2 Page 4, ARC Terms of Reference dated April 2020 POL00423503,
‘8 Page 4, ARC Terms of Reference dated April 2020 POL00423503),
14 Page 6, ARC Terms of Reference dated April 2020[POL00423503)
‘8 Page 3, ARC Terms of Reference dated April 2020 POL00423503).
Page 60 of 141
WITN11190100
WITN11190100
84.By way of example, a Post Office Speak Up Policy was presented to the ARC in
February 2013. The Policy was noted by the Committee who requested a report on
the issues raised at the end of 2013-2014, with any significant matters highlighted in
the interim [POL00423141].116
85. The Board meeting minutes dated 23 January 2013 [POL00021510] refer to page 8
of the Corporate Governance Review which states‘’”:
(e) The Chairman of the ARC asked that the Company's "whistle-blowing"
arrangements be reviewed at the ARC and not the Executive Risk and
Compliance Committee, and that the ARC terms of reference be changed to take
this into account.’
86.1 have reviewed ARC Minutes and Meeting Packs that have been made available to
me. In addition to the above, whilst I do not summarise every document, I set out
below a brief overview of the documents from ARC that I have seen that touch upon
whistleblowing, to illustrate the type of whistleblowing information and documents
that were received by the ARC:
Pre-separation:
87.Post Office has been able to identify limited copies of its own Audit Committees
minutes prior to separation. It has not been able to locate any minutes of the Audit
Committee as part of the work for this request for Rule 9(50) which refer to
whistleblowing.
18 Page 22, ARC Agenda and papers dated 13 February 2013 POL00423147]
177 Page 8, Post Office Board meeting minutes dated 23 January 2013 [POL00021510,
Page 61 of 141
WITN11190100
WITN11190100
88.In any event, and as outlined above at paragraph 20, during this period it appears
that whistleblowing complaints were handled by Royal Mail centrally as opposed to
by Post Office. In relation to reporting Royal Mail Board minutes dated 6 April 2004
[POL00423145] and 5 October 2004 [POL00423146] demonstrate that the
whistleblowing function was delegated to its Audit and Risk Committee (the “RMG
ARC”)''8 and that reporting took place within that forum in the first instance
[POL00423143], [POL00423144], [POL00423147], [POL00423148],
[POL00423149] [POL00336006]. There is reference in the RMG ARC minutes from
14 June 2010 to an update from across the Group on whistleblowing, so it appears
as though there was Group reporting to Royal Mail about this topic [POL00423198].
From minutes of the Board meeting on 5 October 2005, the RMG ARC reported to
the Board on matters including updates on policies, procedures and reporting
[POL00423146].
Post-separation:
89. The following is a chronological summary of those references to Speak Up at the
ARC that I have found for the period post-separation:
(a) November 2012 - The pack for the ARC meeting on 13 November 2012
[POL00423234] includes a reference to the “provision and management of Speak
Up arrangements for POL” as a proposed scope for the 2012/13 Internal Audit &
Risk Management Plan.
"8 Page 86, Royal Mail Board minutes dated 5 October 2004 [POL00423146).
Page 62 of 141
WITN11190100
WITN11190100
(b) February 2013 - The pack for the ARC meeting on 13 February 2013
[POL00423141] includes a copy of the Post Office Speak Up Policy effective from
1 April 2012''8. The minutes for that meeting [POL00423673] record: ‘Susan
Crichton explained the changes to the Post Office's Speak Up Policy
(Whistleblowing) and the plan to communicate to Staff in April. The policy was
noted by the Committee who requested a report on the issues raised at the end
of 2013-2014, with any significant matters highlighted in the interim’.'?° These
minutes were noted by the Post Office Board in its meeting of 21 May 2013
[POL00145327).12"
(c) May 2016 — The meeting pack for the ARC meeting on 19 May 2016 contains a
copy of the whistleblowing policy for approval [POL00423509].'*2 The minutes of
that meeting [POL00423368] record that ARC asked that the whistleblowing
policy be amended to include exposing ‘potential’ wrongdoing, and that the list of
example be extended to include money laundering and terrorism. Taking into
account the input from the ARC, the policy was approved'?°. These minutes were
noted by the Post Office Board in its meeting of 29 September 2016
[POL00021544]'24
"8 Page 22, ARC Meeting Pack, 13 February 2013 [POL00423141]
129 Page 2, ARC Meeting Minutes, 13 February 2013 [POL00423673)
‘21 Page 6, Post Office Board meeting minutes dated 21 May 2013 POL00145327I
12 Page 295, ARC agenda and pack for meeting of 19 May 2016 POL00423509).
12 Page 5-6, ARC meeting minutes dated 19 May 2016 [POL00423368}
1% Page 1, Post Office Board minutes dated 29 September 2016 POL00021544]
Page 63 of 141
WITN11190100
WITN11190100
(d) May 2017 — The meeting pack for the ARC meeting on 18 May 2017
[POL00423390] contains a whistleblowing report [POL00423669], which notes
that four incidents had been reported during the preceding year’?5. The minutes
of that meeting [POL00423409] record that Jane MacLeod presented the
whistleblowing report and noted that four reported incidents was very low but
explained that individuals used other processes to register issues'?®. Ms
MacLeod also said that a communication had been sent out to advertise the help
line. ARC asked whether the help line was available to postmaster assistants and
Ms MacLeod said that two recent incidents had been registered by postmaster
assistants. ARC noted the report, and the minutes specifically record: ‘The ARC
recognised that 4 incidents was very low but accepted that the Executive were
doing all the right things to promote the support’!’.
(e) March 2018 - Updates were contained within a Financial Crime Risk Update
(which was noted), including the volume of reporting, that regular
communications were planned, and an overview of recent cases. The audit plan
refers to the scope of the whistleblowing process in Q4 [POL00423412].
(f) May 2018 — As per the March update, this was contained within the Financial
Crime Risk Update, with no significant updates, and it being noted that a poster
was being developed [POL00423413]. A poster about Speak Up dated 19 April
'5 Page 272, ARC pack for meeting of 18 May 2017 [POL0042339().
1% Page 11, ARC meeting minutes dated 18 May 2017/POL00423669).
177 Pages 11-12, ARC meeting minutes dated 18 May 2017 (POL00423409).
Page 64 of 141
WITN11190100
WITN11190100
2018 appears to have been created and it is likely given the date that this is the
poster referred to in the update [POL00423483].
(g) July 2018 — The minutes of the ARC meeting on 31 July 2018 [POL00021457]
record that the report indicated no systemic issues 12°. Ms MacLeod added that
there was a process for all reports received, which were all investigated, and
none appeared to be systemic issues. The minutes record that: ‘TC asked
whether we have analysis of closed cases to understand the nature of the issue
and what the outcome was, and JM confirmed what we do. JM noted that though
the Whistleblowing line we also get bullying complaints which are passed to HR
for resolution. If there is a complaint against an agent, it is referred to the Network
team. JM noted that allegations of fraud are addressed through our BAU process.
There are mostly low level with no particular themes and no individual cases that
are likely to result in reputational damage. PV noted that all incidents of bullying
and harassment or sexual harassment are reported to her and dealt with
appropriately. PV encourage staff to speak up and be objective and noted that
there has been a single serious issue.’ The minutes further record that the
whistleblowing report was taken as read and that the whistleblowing policy was
approved'2°
(h) October 2018 — The update was contained within the Compliance Report, with
no material issues being highlighted and the initiation of a Review of the Code of
Business Standards being noted [POL00423414].
28 Page 6, ARC meeting minutes dated 31 July 2018 POL00021457]
19 Pages 6-7, ARC meeting minutes dated 31 July 2018 [POL00021457},
Page 65 of 141
WITN11190100
WITN11190100
(i) January 2019 - The update was again contained within the Compliance Report,
which cited no material issues, a satisfactory audit rating, and action relating to
communications [POL00423423]. There internal audit report for the January
2019 meeting rated the whistleblowing process as “satisfactory” and outlined
three areas as “P2” [POL00423417]
(j) The three areas which were identified as P2 were that:
a. There was an absence of a mechanism to confirm and measure staff
awareness of the whistleblowing arrangements and to gauge the success
of awareness campaigns;
b. There was no targeted training provided to staff who are responsible for
investigating whistleblowing reports;
c. There was a lack of root cause analysis and action plans to address
recurring cases.
(k) March 2019 — The update was contained within the Compliance Report, with no
material issues being reported, and news of a survey being conducted to
understand levels of awareness within the business [POL00423454].19°
(I) May 2019 — The update was contained within the Risk, Compliance and Audit
Report, with no material issues identified, an analysis of the February survey
1 Page 46, POL ARC Agenda and pack for 25 March 2019 [POL00423454)
Page 66 of 141
WITN11190100
WITN11190100
being undertaken, and confirmation of the organisation working to improve its
service [POL00422968].'*'
(m)July 2019 — The pack for the ARC meeting on 29 July 2019 [POL00423508]
includes a Risk Management and Compliance Report, which states that the ARC
received an update on whistleblowing.'®? The Whistleblowing review for 2018-19
provides an overview of the financial year [POL00423583] and the Appendix
provides a summary of whistleblowing reports received in 2018-19
[POL00423582]. It includes reference to the origin of the reports including those
made by or about Postmasters or Agent Assistants. The ARC recommended that
going forward the infrastructure to support whistleblowing be extended to third
parties. The minutes of that meeting [POL00423466] record that the ARC noted
the update. '®*
(n) September 2019 — The update contained within the Risk, Compliance and Audit
Report noted no significant issues, and the planned communications
[POL00423464].14
(0) November 2019 — The update was contained within the Risk, Compliance and
Audit Report, with no significant issues being raised, and new planned
communications being noted [POL00423684]."°5
'5* Page 298, POL ARC Agenda and pack dated 29 May 2019 [POL00422968},
12 Page 5, ARC pack for meeting dated 26 July 2019 POL0042350§}
183 Page 9, ARC meeting minutes dated 26 July 2019 POL00423466]
1% Page 52, POL ARC Agenda and Pack dated 23 September 2019 POL00423464]
15 Page 62, POL ARC Agenda and Pack for 25 November 2019 POL00423684]
Page 67 of 141
WITN11190100
WITN11190100
(p) January 2020 — The pack for the ARC meeting on 28 January 2020 contained a
Risk, Compliance and Audit Report [POL00423468], which contained the
following ‘Whistleblowing Update’:
‘34 Due to the number of reports received recently from Agent assistants,
we are currently working with the Communications team to identify ways
to raise awareness of the importance of whistleblowing to our agents and
ensure they understand that whistleblowers are protected by law to stop
them being treated unfairly or losing their job because they "blew the
whistle".
35 Expolink Europe Ltd currently provide our Whistleblowing Speak Up
service, however, the contract has expired. During the contract renewal
discussions, Expolink were acquired by Navex Global Ltd, and they
advised that they are not prepared to sign a novation in relation to
Expolink, but would migrate Post Office onto a contract with Navex
Global. It has been agreed internally, supported by Legal, and with the
Supplier to proceed with the new contract, which would see Post Office
migrated onto a new platform with additional services. This is expected
to be completed by financial year end’™*®.
The minutes of that meeting [POL00423505] state that the ARC noted that
update’’”,
1% Page 82, ARC pack for meeting of 28 January 2020[POL00423469}
157 Page 7, minutes of ARC meeting dated 28 January 2020 [POL00423505},
Page 68 of 141
WITN11190100
WITN11190100
(q) May 2020 — The update contained within the Risk, Compliance and Audit Report
confirmed the new contract with Navex Global and noted an increase in reporting
in March [POL00401577].18
(r) July 2020 - The pack for the ARC meeting on 27 July 2020 [POL00423510]
contains an annual whistleblowing report'®®. That report noted that, amongst
other things:
(i) A process document had been created to provide guidance on how to deal
with whistleblowing reports received via all channels
(ii) A Financial Crime Policy Assurance Framework had identified no
deficiencies or major flaws in the application of the whistleblowing policy
across Post Office.
(iii) A new contract with Navex Global to provide whistleblowing services had
been completed and Post Office migrated onto their new reporting
platform.
(iv)In the preceding year, there had been six communications published in
relation to whistleblowing to raise awareness of the reporting channels and
protections and encourage reporting. Additionally, some workshop
sessions had been held at the Employee Engagement Conference to
explore ethical values and ‘doing the right thing.”
188 Page 18, POL ARC Agenda and Pack dated 19 May 2020 [POL00401577],
1 Page 22, pack for ARC meeting dated 27 July 2020/POL00423510]
Page 69 of 141
WITN11190100
WITN11190100
(v) The annual policy review had led to minor amendments to clarify wording
and definitions within the overview and minimum control standards
sections.
(vi) There had been a slight decrease in whistleblowing reports from 43 to 41.
Most reports related to individuals in the network, although there had been
an increase in reports relating to colleagues in Post Office’s supply chain
cash centres.
(vii) The most popular reporting channel was the Speak Up line. The most
common complaint related to fraud and most allegations were against
Postmasters.
(viii) There had been some delays in investigation caused by Covid-19
lockdown, but these could now be fully investigated.
The pack also contained a Risk, Compliance and Audit Report, which contained
a whistleblowing update’4°. The update notes that (i) the migration to the new
Navex Global Ltd platform was completed in May, and further communications
and awareness were planned for the summer; (ii) there had been a slight
decrease in new reports in Q1 2020/21, with 8 reports received, and there
continued to be a number of reports against employees at non-customer facing
sites; and (iii) two branch-related investigations remained on hold due to Covid-
19 restrictions, but that these would be progressed. It also contained a summary
of whistleblowing reports received in 2019-20 [POL00423589]. This report
reflected that there were 41 reports received and 43 closed. The majority of
‘# Page 133, Pack for ARC meeting dated 27 July 2020 POL00423519)
Page 70 of 141
WITN11190100
WITN11190100
reports (14) were about branches. Three of the reports were made by
Postmasters in the year 2019-20 which was a decrease of one report on the
previous year (where 4 were made).
(s) July 2020 — The minutes of the ARC meeting [POL00401607] noted that the ARC
had approved the whistleblowing policy'*".
(t) November 2020 — An update contained within the Compliance and Audit Report
noted the procurement of consultancy work with Protect, as well as an initiative
to work with Postmaster complaints to ensure a centralised view of Postmaster
concerns [POL00423518].
(u) January 2021 — The update contained within the Compliance and Audit Report
noted that the Protect contract had commenced, and that the GE and SMs were
to receive training [POL00423685]
(v) March 2021 — The pack for the ARC meeting on 30 March 2021 [POL00423690]
contains a whistleblowing report'4?, the executive summary of which states:
Post Office is able to demonstrate that it has good policies and
procedures in place which have been followed. Post Office's
Whistleblowing Team have reviewed past whistleblowing reports for
evidence of subsequent ‘detriment! to the reporters which found no
45 Page 2, POL ARC minutes for meeting on 27 July 2018 POL00407607]
+ POL ARC meeting pack dated 31 March 2021 [POL00423699.
Page 71 of 141
WITN11190100
WITN11190100
evidence of ‘detriment’. In addition, Herbert Smith Freehills LLP (HSF),
working with the Whistleblowing Team, have performed an additional
analysis of HR records for Post Office employees, including those in
directly managed branches, that have made a whistleblowing report.
HSF found that (1) in all but one case there was no evidence of detriment
to the particular whistleblowing reporters, and (2) in the remaining case,
they were unable to form a definitive view based on the HR records that
were available for their review and without taking further steps, for
example by interviewing the whistleblowing reporter who is no longer a
Post Office employee. Whistleblowing engagement including training
needs particular attention, together with operational improvements which
are being addressed in April and May 2021.
As a result of the review of whistleblowing policy, processes and culture,
there are a number of recommended enhancements to improve and
mature these areas, including the creation of a Non-Executive Board
Director Whistleblowing Champion.
(w)In summary, the ‘Report’ section notes:
(i) A number of improvements had been made since 2017, including
enhancing Post Office policy and procedures, raising awareness,
developing monthly management information, and regular reporting to
RCC and ARC. However, it was recognised more could be done to
improve the maturity of the Post Office approach. Accordingly, as part of
its review, Post Office had approached Protect, a UK whistleblowing
charity for support. This included a self-assessment and_ industry
Page 72 of 141
WITN11190100
WITN11190100
benchmarking of the regulatory requirements, current industry best
practice and Protect’s Code of Practice, and a training workshop which
was attended by some GE members and senior managers.
(ii) The monthly MI pack on whistleblowing had been updated to provide more
granular data on issues raised by or about Postmasters. A review had also
been undertaken to ensure there was sufficient understanding across
teams that interacted with and captured those issues.
(iii) It was agreed there should be a dedicated Whistleblowing Manager within
the Compliance Team to manage whistleblowing and assist in the conduct
of investigations. External recruitment for that role was nearing completion
and it was hoped to have this in place by May. Additionally, Zarin Patel
had agreed to become the newly-created NED Whistleblowing Champion,
subject to ARC approval.
(iv)Migration of the external Speak Up line to the new Navex Global
EthicsPoint platform had been completed, and all enhancements
implemented.
(v) A new module had been developed in SuccessFactors and was being
undertaken by all employees for completion by April. 14°
(x) In summary, the ‘Conclusions and Recommendations’ section notes:
(i) Post Office had a good policy and incidents had been managed in
accordance with it, although further work on engagement, including
training and operational improvements was needed. In particular: ‘Whilst
48 POL ARC meeting pack dated 31 March 2021 [POL0042369Q). I note the report states ‘1st April 2020’, but given the report is dated
30 March 2021 it is likely that this is intended to refer to April 2021.
Page 73 of 141
WITN11190100
WITN11190100
the policy and process were intended to cover employees and the
protections afforded them under the law, reports have historically been
received from postmasters, their teams, customers and the general public,
and these reports have always been investigated and managed under the
whistleblowing policy. Improvements to communications and awareness
have been made in recent years, but the lack of training for all employees
and, in particular, line managers needs adadressing.’'4+
(ii) It had been identified prior to the Protect self-assessment that a training
and communications programme was needed in 2020/21 and this had
been budgeted for, although it had been hampered by Covid and the loss
of the role supporting this work.
(iii) The following were key recommended activities in 2021/22:
1. ‘Continue to work with Protect to identify improvements and
enhancements’
2. ‘Provide the monthly whistleblowing MI pack to all GE
members to ensure visibility’
3. ‘Quarterly meetings with the Whistleblowing Champion to
review cases and activities, together with monthly meetings
with the postmaster and customer complaints teams to
ensure that complaints or issues they receive that are in fact
whistleblowing, are appropriately identified and
investigated.’
‘4 Page 13, POL ARC meeting pack dated 31 March 2021, POL0042369Q)
Page 74 of 141
WITN11190100
WITN11190100
4. ‘Work with the People Function and L&D to enhance on-
boarding and line manager training relating to
whistleblowing’
5. ‘Review and update the Whistleblowing Team’s procedures,
including those relating to the whistleblower and
mechanisms to obtain feedback from whistleblowers’
6. ‘A programme of continual communication and awareness,
including refreshing posters for office locations as staff
return to work locations following Covid’
7. ‘Update Settlement Agreements to remove potential
ambiguity
8. ‘The Protect self-assessment benchmarking should be
undertaken again in June 2021 and annually thereafter to
test and demonstrate improvements achieved from planned
activities’ 145
(y) The minutes of the ARC meeting on 30 March 2021 [POL00423672] note that the
paper was taken as read, and that the following points were highlighted:
- ‘The major changes were that Zarin Patel, as an independent Non-
Executive Director, was to be appointed as Post Office's
Whistleblowing Champion and a new dedicated whistleblowing
manager was being recruited. The policy has been updated to reflect
these changes and to align with the Investigations Policy.
4 Pages 13-14, POL ARC meeting pack dated 31 March 2021, [POL00423699}
Page 75 of 141
WITN11190100
WITN11190100
- The Policy has also been externally reviewed by Protect.
- The focus in this area over the next six months was to be on training
and awareness via an employee training module on SuccessFactors
and working with HR to ensure whistleblowing was part of line
management training.
- Comments have been received from Zarin Patel outside of the
meeting to make some amendments to section 1.9 of the policy to
clarify the wording and make clear that the Whistleblowing Champion
is an independent Non-Executive Director. These amendments had
been agreed prior to the meeting.
- It was also flagged that whistleblowing was not noted on the corporate
website. Sally Smith confirmed that this had also been raised in the
review along with the suggestion that whistleblowing be part of the
Annual Report and Accounts. The team was considering these
suggestions carefully to ensure a coordinated approach, for particular
consideration with the new Whistleblowing Manager. This would be
resolved within the next six months.
- It was agreed that this matter should be reviewed by the Committee
in six months’ time.’"°
(z) The minutes record that the Committee noted the whistleblowing review as part
of its role in monitoring the adequacy and effectiveness of the Group's
‘# Pages 4-5, minutes of ARC meeting dated 30 March 2021 [POL00423672],
Page 76 of 141
WITN11190100
WITN11190100
whistleblowing systems and controls, and approved the proposed amendments
and the appointment of the Whistleblowing Champion.
90. September 2021: The ARC Committee received a whistleblowing report. It outlines
the progress made since the March 2021 meeting and a review of the MI
[POL00423672]. The Appendix to the whistleblowing report for 2020/21
[POL00423599] provides a summary of the reports received in 2020/21 together with
a list of actions and progress in relation to the Speak Up space.
Risk and Compliance Committee ("RCC")
91.As I understand it, the RCC was a board level sub-committee prior to 2012. Post
separation, I understand that RCC has been a standing committee of GE/SEG
[POL00423347].
92.1 have seen Terms of Reference for RCC from March 2014 [POL00423255], March
2015 [POL00423347], July 2016 [POL00423386] and December 2020
[POL00423520]. The March 2014 Terms of Reference state that RCC is responsible
for "developing the stewardship of risk and policy frameworks by:... receiving and
reviewing compliance reports relating to:... whistleblowing" and it is stated that RCC
reported to ExCo and to ARC "as requested". I note that the March 2015 Terms of
Reference state that one of the committee's responsibilities is: "Receiving and
reviewing reports related to anti-money laundering, bribery / gifts & hospitality,
whistleblowing, internal audit activity". The July 2016 Terms of Reference amends
the committee's responsibilities and states it will "review with internal auditors the
results of any review of the compliance with the Company's codes of ethical conduct
Page 77 of 141
WITN11190100
WITN11190100
and similar policies including whistleblowing" [POL00423386]. I note that wording
from the July 2016 Terms of Reference is replicated in the December 2020 version.
In summary, the RCC will:
(a) Review and approve for recommendation (where applicable) to the ARC all
papers and decisions prior to submission to the ARC.
(b) Review and approve for recommendation to the ARC Key Group Policies.
(c) Review with the internal auditors the results of any review of the compliance with
the Group’s codes of ethical conduct and similar policies including
whistleblowing.
(d) Ensure the timely and appropriate reporting to the GE, the ARC, and Board (as
requested).
(e) Minutes of the RCC will be noted at the ARC.
93.1 have reviewed RCC Minutes and Meeting Packs that have been identified as
containing material relating to whistleblowing. I do not summarise every document,
but instead set out below a brief overview of the documents from RCC that I have
seen that touch upon whistleblowing, to illustrate the type of whistleblowing
information and documents that are received by RCC:
(a) 21 January 2015: I have seen Minutes from the RCC [POL00423573] (which
state the meeting date was 21 January 2015, but is dated 16 March 2015), which
include a 'whistleblowing update': "The committee received an update on recent
whistleblowing activity. The committee noted that call levels were very low and
that marketing of the whistleblowing line is needed", with an action to "Prepare
and implement a communications plan to raise awareness of the whistleblowing
Page 78 of 141
WITN11190100
WITN11190100
line" to be led by Arnout van der Veer. The stated update is as follows: "Comms
plan has been drafted. The Speak Up (whistleblowing) policy is being reviewed
and once signed off comms plan will be implemented". In the meeting pack for
this meeting, the Risk and Annual Committee Annual Agenda is included and
states that the whistleblowing report would be received and agreed in April
[POL00423563].'4’ I have been unable to locate the 2015 annual whistleblowing
report and so do not know whether one was provided or not.
(b) 16 March 2015: Minutes from the RCC again note the action to "prepare and
implement a communications plan to raise awareness of the whistleblowing line",
with an update stated as follows: "whistleblowing framework currently under
review" [POL00423572].
(c) 1 May 2015: Minutes note again that: "whistleblowing framework currently under
review" [POL00423297]. In the meeting pack for this meeting [POL00423564], a
paper titled 'The Code: Questions for board to consider in its annual assessment
process' poses a question regarding how the Board has assessed its culture and
in what ways does the Board satisfy itself that the company has a speak up
culture. Under 'status' it is stated that "PO has a whistleblowing policy, code of
conduct and key behaviours set out. Employees are represented by union
leadership, and other representative organisations".'4® Another question in this
document is: "what are the channels of communication that enable individuals,
including third parties, to report concerns, suspected breaches of law or
47 Page 11, Risk and Annual Committee Annual Agenda POL00423563,
48 Page 15, The Code: Questions for board to consider in its annual assessment process POL00423564).
Page 79 of 141
WITN11190100
WITN11190100
regulations, other improprieties, or challenging perspectives?". Under 'status', the
document points to the whistleblowing policies as answer to this question, and
under common practice, it states "outside the formal process of whistleblowing,
this is really down to culture and how open communication is being
encouragea".'*° Another document included in the meeting pack is called
‘Appendix A: Principal Risks' lists one of the risks to Post Office as "potential for
disaffected ‘whistle-blower’ in high change environment triggers FCA
investigation" .'5°
(d) 6 August 2015: Minutes again note that: "whistleblowing framework currently
under review" [POL00423370].
(e) 7 September 2015: Minutes state that the whistleblowing "policy will be updated
in line with policy framework review... comms will be tailored to requirements of
policy" [POL00423310].
(f) 5 May 2016: Minutes state that: "JM provided an update on the whistleblowing
process. JM stated that there have been no major incidents of whistleblowing
during the financial year. A total of seven incidents were reported which have
been investigated and closed. JM stated that in the coming financial year the
whistleblowing process will be further publicised to increase awareness"
[POL00423367]. I note that 'JM' refers to Jane MacLeod. A number of documents
related to whistleblowing are in the associated meeting pack [POL00423565]:
¥# Page 17, The Code: Questions for board to consider in its annual assessment process POL00423564)
1 Page 22, The Code: Questions for board to consider in its annual assessment process POL00423564).
Page 80 of 141
WITN11190100
WITN11190100
(i) A number of policies were put to the RCC for approval (although the
minutes make clear that further work was required before they would be
approved). Appendix 5 of the 'Policy Approval - Summary of Policies (7)
and rationale’ states that a revised whistleblowing policy was to be
approved by RCC and ARC in May 2016, sponsored by Jane MacLeod
and owned by Nisha Marwaha (Employment Lawyer), "to help Post Office
meet its legal and regulatory internal and external obligations. To
implement good practice and engender good standards in this context".'®'
(ii) A document called 'Review of RCC Terms of Reference’ states that "no
whistleblowing report was provided in 2015/16. One is being provided in
May 2016".152
(iii)A document called 'General Control Framework’ provides an update on
the ‘general control frameworks' project and under a section titled
‘governance and feedback' it is stated that: "a Whistleblowing policy and
service is available to all staff and calls are actively followed through and
appropriately reported to the Board. Similarly a Complaints procedure is
available to customers, suppliers and other external stakeholders”.‘°
(iv)A document called, 'Review of whistleblowing procedures in 2015/16'
accompanied the revised whistleblowing policy for approval. As it states
that the purpose of the document is to "update the Risk & Compliance
committee on the operation of the whistleblowing procedures in Post
Office over the last year",5* I understand that this document is the
'S! Page 254, RCC Meeting Pack, 05.05.2016 [POL00423565]
18 Page 12, RCC Meeting Pack, 05.05.2016 [POL00423565].
18 Page 43, RCC Meeting Pack, 05.05.2016 [POL00423565]
1 Page 185, RCC Meeting Pack, 05.05.2016 [POL0042356§].
Page 81 of 144
WITN11190100
WITN11190100
‘whistleblowing report' as required by RCC's Terms of Reference. It stated
that the proposed revised policy had been reviewed by an external auditor
for compliance with the whistleblowing regulations for the financial sector;
that the previous version was complied with, but that awareness of the
whistleblowing line amongst employees was low; that seven
whistleblowing reports were received in the year to 31 March 20161, an
increase from only three the year prior; and that once the policy was
approved the correct method of dealing with whistleblowing reports and
the availability of the Speak Up line would need to be communicated to all
employees.1%° In the conclusion section, it is stated that "a large number
of calls are made annually to the Security reporting line ‘Grapevine’ and it
is likely that some of these calls could be classed as whistleblowing
reports, but there is currently no mechanism to distinguish them".15”
Appendix 1 of this document lists the seven whistleblowing reports
received in 2015/2016, noting the date of the report, the subject of the
report, the action, and the result.
(g) 8 September 2016: Minutes reference whistleblowing as part of a discussion
around a ‘financial services deep dive’, as follows: "OW noted that it was
necessary to have a clear whistleblowing process available to branches selling
financial services. The Committee noted that the extent of monitoring required
‘88 Pages 186-187, RCC Meeting Pack, 05.05.2016 [POL00423569]. This section of the meeting pack contains a document called
“Summary of whistleblowing reports in the year 2015/2016’ sets out the seven whistleblowing reports that were received in 20/2016,
setting out the subject matter very briefly, the action and the resut. All are noted to be closed.
18 Page 185, RCC Meeting Pack, 05.05.2016 [POL00423565]
187 Page 185, RCC Meeting Pack, 05.05.2016 [POL0042356§].
Page 82 of 141
WITN11190100
WITN11190100
was directly linked to the extent to which financial services were sold over the
branch network" [POL00423377]. I note that OW is Owen Woodley, Sales
Director, Network and Sales. In the associated meeting pack [POL00423566],
there are a number of documents relevant to whistleblowing:
(i) A document is included in the meeting pack called ‘meeting our appointed
representative responsibilities’. Under the 'people' section, it is noted that
"the whistleblowing ‘speak up' policy has been revamped" and that
"corporate services to re-launch ‘speak up' policy (Sep)".' In the
evidence appendix, it states that the revised Speak Up policy was
approved by the ARC on 18 May 2016.'5°
(ii) In respect of policy approvals, an ‘Appendix 1: Key Policies - Governance
Approvals Calendar’ notes that the whistleblowing policy is approved, and
it is noted in the column for March that the policy goes to ARC and
Board.1©°
(iii) Post Office's Investigations Policy (which was approved at the meeting)
appears to apply to whistleblowing. At page 5 of the internal document, it
states that the person who is conducting an investigation should identify
whether "there are any other applicable existing Post Office procedures.
For example, Whistleblowing...".'°' At page 6, it states that "in some
circumstances it may not be appropriate to share outcomes/ findings, e.g.
in the context of whistleblowing investigations".'® From these references,
"8 Page 39, RCC Meeting Pack, 08.09.2015 [POL00423566],
"8 Page 47, RCC Meeting Pack, 08.09.2015 [POL00423566]
1 Page 100, RCC Meeting Pack, 08.09.2015 [POL00423566]
18 Page 105, RCC Meeting Pack, 08.09.2015 [POL00423566]
1 Page 106, RCC Meeting Pack, 08.09.2015 [POL.00423566].
Page 83 of 141
WITN11190100
WITN11190100
I understand that this investigations policy would have applied to
investigations conducted following a Speak Up report.
(iv) Post Office's Physical Security Policy (which was approved at the meeting)
refers to the Speak Up line, and provides the whistleblowing email
address, Speak Up line telephone number, and a link to the Speak Up
online portal. It also states that staff can contact their line manager, a
senior member of the HR team, or Jane MacLeod directly (and provides
her telephone number)."®
(h) 4 May 2017: Minutes state that the RCC noted the Whistleblowing Report
[POL00423391].'°4 The associated meeting pack [!" 4] contains the
Whistleblowing Report for 2017.1% It notes the ways that whistleblowing reports
can be raised: to line managers, senior managers, through the Speak Up line, to
General Counsel via the whistleblowing email address, or in certain cases
through external reporting (such as to a regulator). It states that Postmasters can
raise concerns through the Grapevine reporting line and website, but that
concerns raised in this way are investigated by the security team. It states that
from March 2016 to May 2017, only two whistleblowing reports were made (as
opposed to three in 2014/2015, and seven in 2016/2016): the first was a report
to FCA and Bank of Ireland by an individual concerned that staff at a branch could
initiate transactions under a single log in; and the second was an anonymous
report to the Speak Up line concerned about software procurement. The action
18 Page 122, Post Office Risk and Compliance Committee Agenda, 08 September 2016 [POL00423566].
1% Page 5, Risk and Compliance Committee Minutes 04 May 2017 POL0042339 1)
18 Page 118, RCC Agenda, 4 May 2017,
Page 84 of 141
WITN11190100
WITN11190100
was noted, and it appears they were both closed.'® The report notes that the
whistleblowing policy is referenced in many other Post Office policies, and the
Code of Conduct, and that in 2017 Post Office had issued communications
across the business reminding colleagues of the whistleblowing policy and
processes. It was noted that the second report raised followed one such
communication.'®”
(i) 13 September 2017: The minutes note that the RCC approved the revised
whistleblowing policy. It was also noted that the Chair commented that the
number of reports seemed low and that "work was being done to ensure that
between the Speak Up Line, Grapevine and the Executive Correspondence
Team, all reports of potential wrongdoing were captured" [POL00423410]. The
meeting pack contains a document called 'Post Office Legal and Regulatory
Framework’, which sets out that all business areas (excluding the CEO) were
responsible for compliance with PIDA 1998 [POL00423693].'6 Under
‘obligations’ it sets out what a qualifying disclosure is, and states that "new FCA
rules in 2016 on whistleblowing means firms must have a whistleblowers'
champion in place - this should be a non-executive director or senior manager
who will need to report to the board on whistleblowing stats, at least on an annual
basis". It stated that Martin Kirke had accountability within Post Office for PIDA
1998 and under evidence, it is stated: "Whistleblowing Policy on POL intranet,
comms issued to employees and Postmasters". Under board impact it is stated
18 Page 118, RCC Agenda, 4 May 2017{,
187 Page 119, RCC Agenda, 4 May 2017
18 Page 89, RCC Meeting Pack, 13 September 2017 [POL00423693)
Page 85 of 141
WITN11190100
WITN11190100
that the board could be impacted because: "dismissed whistleblowers have two
remedies: against employers and against those who are the ‘controlling mind’
behind dismissal or cause the dismissal/detriment their whistleblowing brings
them. Both the employer and director/s, including NEDs, may be jointly and
severally liable"."°° The executive summary accompanying the revised
whistleblowing policy (v1.5)'7° summarises the key changes to the previous
policy as follows: "updating contact details and help line numbers"; "ensuring that
all teams across the business that may receive whistleblowing reports ensure
that these are passed onto the Whistleblowing Officer and handled
confidentially"; and "a new section has been included clearly mapping minimum
control standards, responsibilities and timescales".'"' It is stated that once the
policy was approved "there will be a One communication to advise all employees
of the changes and provide a link to the updated document on the Post Office
Intranet". It is also noted that: "Post Office Limited provides Post Office
Management Services (POMS) with its policies suite in the form of “Group
Policies.” POMS is required under its regulatory responsibility to the Financial
Conduct Authority to have up to date policies and failure to do so may lead to
regulatory sanctions or penalties".‘72
(j) 10 July 2018: The minutes note that a revised whistleblowing policy (v.2.1) was
approved [POL00423574]. It also notes that Sally Smith (Head of Financial Crime
/ MLRO) updated the RCC: "SS presented this as work in progress and the
'©® Page 106, RCC Meeting Pack, 13 September 2017 [POL00423693
179 Page 160, RCC Meeting Pack, 13 September 2017 [POL000423693).
17 Page 159, RCC Meeting Pack, 13 September 2017 [POL000423693}
172 Page 159, RCC Meeting Pack, 13 September 2017 [POL.000423693}
Page 86 of 141
WITN11190100
WITN11190100
Committee had a discussion around raising awareness. Most items come from
our agents rather than from our employees although there are some issues
reported via Speak Up. AC posed the question of whether the whistleblowing
definition should be relaxed to include incidents of Bullying and Harassment and
also whether whistleblowing is understood across the business. JM responded
that the business has used PV's blogs, posters and Yammer to reinforce the
message. JM commented that whistleblowing is for legal breaches and that as a
business if an item is reported through an incorrect channel, it will still be referred
appropriately. A range of channels exist for reporting inappropriate behaviours.
ACTION- SS to propose a programme of communications. GE to raise
awareness and SS to contact Amber Kelly to include in cultural work... The Audit
programme had been constructed to address high risk areas and
communications had not been flagged as high risk. PV to discuss integrated
communications review with Mark Davies. AC noted that people may understand
less that it is assumed that they do. JH noted that in the past it was part of the
role of all managers to visit 10 branches to communicate which had a large impact
although it was a costly exercise. JH to have discussion with Debbie Smith on
this matter" ."7°
(k) The associated meeting pack [POL00401627] includes an Internal Audit Plan for
2018/2019, which notes that Jane MacLeod is the whistleblowing sponsor and
that the audit was not yet started. '”4 In a Compliance Report, it was noted that in
respect of whistleblowing there were "no material non-conformance issues to
173 Pages 6-7, Whistleblowing Policy Version 2.1 POL00423574,
1™ Page 34, RCC meeting pack dated 10 July 2018 POL00407627).
Page 87 of 141
WITN11190100
WITN11190100
report’.'7> The Executive Summary together with the revised policy notes that
there were no substantive amendments to the whistleblowing policy from the
previous version and that minor amends were made to: "revised definition of
serious incidents in section 1.3"; "updated with new link for Speak Up web portal;
"added communication and awareness to all staff as minimum control standards";
and "included reference to Whistleblowing Officer nominated deputies to
minimum control standards".‘7° In Appendix A of this document, called the
‘Minimum Control Standards Assurance’, all first and second level defences
associated with whistleblowing were marked as effective. I summarise the
‘assurance comments' as follows:
(i) Whistleblowing log spreadsheet is maintained and monitored by a
Whistleblowing Office and Financial Crime Team and summary reports
provided to ARC and RCC;
(ii) Whistleblowing communications launched in May 2018 (two examples of
an article which was circulated via internal communications can be found
at [POL00423482and POL00423477];
(iii) Systems and reports restricted to Whistleblowing Officer and deputies
(and where reports need to be sent to others, there is a confidentiality
requirement);
(iv) Training provided to Grapevine, NBSC, Customer Support and ECT in
August 2017;
(v) Contract with InTouch / Expolink was reviewed; and
175 Page 42, RCC meeting pack dated 10 July 2018 [POL00401627].
178 Page 148, RCC meeting pack dated 10 July 2018 POL00407627).
Page 88 of 141
WITN11190100
WITN11190100
(vi) Further training was planned‘7’.
The Whistleblowing Annual Report is also in the meeting pack’ and it is
noted that a complete review of reporting channels and processes had
been undertaken. It stated that "whistleblowing reports received have not
identified any significant areas of concerns nor do they indicate any
systemic problem within the Post Office. The majority have been from
agents or agent assistants, which Post Office treats in the same way as
employees under the Employment Rights Act 1996 and the Public Interest
Disclosure Act 1998".'79 It is noted that during 2017/2018, 37
whistleblowing reports were received and 33 cases were closed, with the
majority of allegations about postmasters or agent assistances, with the
largest category being an allegation of fraud. '®° It was noted that the most
popular channels used to report concerns was the Speak Up line and
Grapevine.1®1
(I) 9 May 2019: Minutes states that a "question was raised about whether our
whistleblowing policy was being used as we would hope. JH advised the
whistleblowing hotline would become a Freephone number and that work was
being undertaken by HR to encourage a culture which encouraged employees to
raise issues of concern" [POL00423460].'®2 I note that JH is Jonathan Hill. In the
"7 Pages 150-152, RCC meeting pack dated 10 July 2018 [POL00401627).
178 Pages 172-175, RCC meeting pack dated 10 July 2018 [POL00401627I
179 Page 172, RCC meeting pack dated 10 July 2018 [POL00407627]
18 Page 174, RCC meeting pack dated 10 July 2018 POL00407627).
18 Page 175, RCC meeting pack dated 10 July 2018 POL00407627)
1® Page 5, RCC minutes dated 9 May 2019 [POL00423460}
Page 89 of 141
WITN11190100
WITN11190100
associated meeting pack [POL00423567], it is noted at the 2018/2019 ‘Internal
Audit Plan’ that the whistleblowing process was rated as 'satisfactory’.'®° A
‘Compliance Report’ also noted that, in respect of whistleblowing, there were no
material issues to report and that following February’s Whistleblowing survey a
newly formed Ethic’s Code of Business Task Force was being formed on how to
promote key messages and improve the service. '®4
(m) 4 July 2019: The minutes state that the whistleblowing policy was approved for
submission to the ARC on 29 July 2019 [POL00423462].'®5 In the associated
meeting pack [POL00423568], the Risk, Compliance and Audit Report notes "no
material issues to report" in respect of whistleblowing'®* and the Internal Audit
Plan Status notes whistleblowing's status is satisfactory'®’. The whistleblowing
report (called the Whistleblowing Review 2018-2019) is included in the meeting
pack, and, in summary, it is noted that:
(i) An internal audit was undertaken at the end of 2018 which concluded that
the whistleblowing process was well managed by the financial crime team,
with some recommendations: "Minor amends and clarifications in the
Whistleblowing Policy"; "Expolink contract had not been renewed due to
queries relating to GDPR clauses"; "A mechanism is needed to confirm
Staff awareness of whistleblowing arrangements and inform future
awareness campaigns"; "The Whistleblowing Policy states that
18 Page 22, ARC meeting pack dated 9 May 2019 [POL00423567].
"8 Page 42, RCC meeting pack dated 9 May 2019 [POL00423567].
85 Page 7, RCC minutes dated 4 July 2019 [POL00423462}
1% Page 56, RCC meeting pack dated 4 July 2019 [POL00423568}
187 Page 57, RCC meeting pack dated 4 July 2019 [POL00423568}
Page 90 of 141
WITN11190100
WITN11190100
investigations should be conducted in accordance with the Investigations
Policy, however this had not been reviewed or updated since September
2016. Once the policy is updated, targeted training and guidance is
needed for whistleblowing investigations"; and "Root cause analysis and
action plans to address recurring cases was not fully evident — monthly MI
and commentary has now been updated and implementea".1®
(ii) An online survey was conducted in March 2019 to review staff awareness
of whistleblowing; monthly MI was shared with HR to ensure consistent
messaging; and financial crime team had attended industry forums and
enhanced reporting and investigation processes.
(iii) There were 43 whistleblowing reports in 2018/2019, mostly related to
allegations of fraud or financial mismanagement against Postmasters and
or Agent Assistants; however, it was noted that there had been an
increase in reports of unethical behaviour or conduct and breach of
internal policy. 18°
(iv) The changes to the policy from the previous versions are stated to be: "re-
ordering content to provide clarity to readers in line with feedback received
and incorporating clarification provided from legal review", "Updated
contact details for external reporting and change of name of Public
Concern at Work (PCAW) to ‘Protect’; "Clarification that any so-called
‘gagging clauses’ in settlement agreements do not prevent colleagues
from making disclosures in the public interest"; "Method and type of
feedback that a whistleblower can expect to receive"; "Explanation that
18 Page 134, RCC meeting pack dated 4 July 2019[POL00423568}
1® Page 134, RCC meeting pack dated 4 July 2019[POL00423568}
Page 91 of 141
WITN11190100
WITN11190100
anonymous whistleblowers will not ordinarily be able to receive feedback
and that any action taken to look into a report could be limited"; "An
indication of the time frame for investigating and responding to reports
raised"; and "Clarification that the whistleblower does not need to provide
evidence in order for the report to be investigated" .'°°
(n) 6 May 2020: Minutes state that the Chair asked for information as to the kind of
issues that were being raised by whistleblowers (insofar as it would not breach
any confidences) and queries whether it was appropriate to be putting
whistleblowing investigations on hold. Jonathan Hill explained that investigations
had been put on hold as they required the physical movement of people which
was not possible during lockdown: the Chair requested that investigations be
reviewed on a case-by-case basis with HR and challenged the assumption that
the investigation had to be paused [POL00423512].'*' The meeting pack
[POL00423569] includes the 'Risk, Compliance and Audit Report’, which stated
that Post Office had signed a new contract with Navex Global Ltd for hosting the
external whistleblowing speak up reporting channels and that Post Office was in
the process of migrating onto the new platform; that there had been an increase
in reports during March; and that two branch related investigations had been put
on hold due to Covid-19.1%
1% Page 135, RCC meeting pack dated 4 July 2019[POL00423568},
18 Page 3, RCC minutes dated 6 May 2020 [POL00423514.
1% Page 20, RCC meeting pack dated 6 May 2020 [POL00423569]
Page 92 of 141
WITN11190100
WITN11190100
(0) 13 July 2020: Minutes noted that the revised whistleblowing policy was approved
for onward submission to the ARC [POL00401614].'% The meeting pack
[POL00423570], including the Risk and Compliance Committee Report, which
noted that: the migrated to Navex Global Ltd platform was completed in May 2020
and further communications and awareness raising was planned for Summer;
there was a decrease in reports Q1 2020/2021, with 8 reports received in
comparison to 9 in Q1 2019/2020; and paused investigations should
recommence once lockdown eases.'% The annual whistleblowing report was
also provided, together with the revised whistleblowing policy (version 4.2). The
report noted that the Financial Crime team coordinate all whistleblowing reports
and investigations and a process document was created to provide guidance on
how to deal with reports from all channels; quarterly reviews of the Financial
Crime Policy Assurance Framework identified no deficiencies in whistleblowing
policy; a new contract with Navex (previously Expolink) was entered into and Post
Office migrated onto their new reporting platform; and in 2019/2020 there were
six communications to raise awareness of whistleblowing procedures. It was
noted there were only minor changes to the policy. It was also noted that reports
had decreased slightly from 43 in 2018/2019 to 41 in 2019/2020. The most
common complaint was a fraud allegation against Postmasters. '% It was noted
that the Investigations Policy, which the Whistleblowing Policy references, was
out of date and requiring review. The report concludes by stating that a
183 Page 6, RCC minutes dated 13 July 2020 POL00407614,
1% Page 24, RCC meeting pack dated 13 July 2020 POL00423579,
185 Page 165, RCC meeting pack dated 13 July 2020 POL0042357q).
Page 93 of 141
WITN11190100
WITN11190100
whistleblowing communications plan had been developed and that training
awareness presentation was planned. 19°
(p) 12 November 2020: Minutes include a whistleblowing update, which state that
"there were no thematic concerns and it was explained that the majority have
been received from agent assistants and relate to allegations concerning
Postmaster activity. A more centralised approach to Postmaster reported
concerns was being taken (separate from the whistleblowing process) so as to
ascertain any broad themes" [POL00423519].'9” The meeting pack contains a
‘Risk & Compliance Committee Report’ [POL00423571], which notes that there
was a slight increase in reports during August and September 2020 (8) compared
to the period in 2019 (5), with the majority from agent assistants concerning
Postmaster activity, and "we are procuring some initial consultancy work with
Protect (UK Whistleblowing Charity) to benchmark our whistleblowing policy and
processes and help us to identify if there are any control gaps. We are also
working with the Postmaster Complaints project to ensure that there is a
centralised view of postmaster complaints or reported concerns".'%
(q) 12 January 2021: Minutes note a mail fraud identified in November 2020 through
a whistleblowing report [POL00423536].' It was also noted that the
Investigations Policy, which was subject to a significant revision, was approved
"88 Page 166, RCC meeting pack dated 13 July 2020 POL0042357)
57 Page 4, RCC minutes dated 12 November 2020 [POL00423519}
1 Page 60, RCC meeting pack dated 12 November 2020 [POL0042357 1]
1% Page 12, RCC minutes dated 12 January 2021 [POL00423536).
Page 94 of 141
WITN11190100
WITN11190100
for onward submission to the ARC.?° In the associated meeting pack, the ARC
approved 'Post office Risk Appetite Scale’ noted that Post Office was ‘averse’ in
its approach to risk around whistleblowing i.e. it has an extremely low appetite for
any risks to materialises and will always select the option with the lowest risk
[POL00423694].7°' The 'Risk and Compliance Committee Report’ note that all
reports received in the last two months relate to the branch network with the
majority received from agent assistants raising concerns about Postmasters and
unethical behaviour or conduct. It was noted that the contract to procure Protect
(UK Whistleblowing Charity) to enable us to undertake self-assessment and
benchmarking is nearing completion and this should commence in January
Protect have been asked to deliver tailored training for GE and Senior Managers
as early as possible in 2021 and we are awaiting their proposals.*°? The fraud
identified via a whistleblowing report was set out in a Risk and Compliance
Committee Report from Tim Perkins.2°
(r
16 March 2021: Minutes note that the RCC "approved proposed amendments to
the Whistleblowing Policy and the appointment of the Whistleblowing Champion,
for onward submission to the ARC" [POL00423692].2°4 The meeting pack,
[POL00423695] contains a 'Whistleblowing Policy Review and Report’, by Sally
Smith (Head of Financial Crime / MLRO). This summarises the review conducted
by Protect, including high level summaries of the 163 whistleblowing reports and
2 Page 13, RCC minutes dated 12 January 2021 [POL00423536]
2°" Page 41, RCC meeting pack dated 12 January 2021 [POL00423694}
22 Page 50, RCC meeting pack dated 12 January 2021 [POL00423694
2 Page 148, RCC meeting pack dated 12 January 2021 [POL00423694
24 Page 13, RCC minutes dated 16 March 2021 (POL00423692,
Page 95 of 141
WITN11190100
WITN11190100
investigations received since 2013. The preliminary review from the report was
that there were no instances where detriment to a reporter had occurred, but
there were 15 cases where it was alleged, or could potentially have been suffered
by the subject of the report. It was stated that MI was being im proved, and that a
review had been undertaken to ensure there was sufficient understanding across
teams that interact with whistleblowing issues (concerning Postmaster
complaints), to ensure reports are passed to the Whistleblowing Team. It was
agreed that the Whistleblowing Officer being General Counsel had potential to
cause conflicts, so it was agreed a Whistleblowing Managers within the
Compliance Team should manage whistleblowing. It was agreed that Zarin Patel
would be Whistleblowing Champion, a newly created role.2°° The Protect self-
assessment resulted in a score of 72% for governance, 24% for engagement,
and 36% for operations.?°° It was noted that the policy had been amended,
including: "removal of some duplication and clarifying the definition of
whistleblowing, the investigations process and the treatment of reporters;
providing more information to reporters (e.g. other external advice available);
clarification of some of the definitions used in the policy; clarification that reporters
do not need to provide evidence and the different reporting types along with the
benefits and disadvantages of open/confidential/anonymous reporting; a new
minimum control standard for line managers; a new minimum control standard
for checking that whistleblowers fee! supported”.”°” In the conclusion, it was noted
that "to date, Post Office has not had any material reports, or found evidence of
25 Page 142, RCC meeting pack dated 16 March 2021 [POL00423695]
28 Page 143, RCC meeting pack dated 16 March 2021 [POL00423695}
2” Page 144, RCC meeting pack dated 16 March 2021 [POL00423695,
Page 96 of 141
WITN11190100
WITN11190100
Significant or material (or disclosable) wrongdoing through the whistleblowing
channel" 208
GE / Strategic Executive Group ("SEG")
94.The 'Group Executive’ (GE) is the most senior leadership team under the CEO,
accountable to the Board for the day-to-day operations of Post Office. It has very
recently changed its name to Strategic Executive Group (SEG).
95.1 have seen the GE Terms of Reference dated February 2015 [POL00423259] and
December 2016 [POL00423384]. Whilst these Terms of Reference state that the GE,
as a body, is responsible for “establishing day to day policies designed to manage
the operational risks within the business,” it does not explicitly mention
whistleblowing. I have also seen the GE Terms of Reference dated November 2020
[POL00423539]. It differs slightly in that it states that the GE’s purpose is to “assist
[... with] the day-to-day running of the business of the company, including the
development and implementation of strategy, operational plans, policies, procedures
and budgets.” However, like the 2015 and 2016 versions, it does not explicitly
mention whistleblowing.
96.My understanding is that the main responsibility for whistleblowing / Speak Up was
with the RCC and ARC (with the RCC reporting to the ARC, and the ARC
consequently reporting to the Board). In light of those lines of reporting, Post Office
28 Page 145, RCC meeting pack dated 16 March 2021 [POL00423695,
Page 97 of 141
WITN11190100
WITN11190100
has not conducted a full review of GE / SEG Minutes for references to whistleblowing.
However, I have seen the meeting pack of the GE meeting on 17 December 2015,
which includes RCC minutes (from 26 October 2015) which reference the plans to
raise awareness of the whistleblowing line in the action points [POL00237262].2°°
97.1 am also aware that MI Dashboards relating to whistleblowing have been provided
to the SEG on a monthly basis since April 2021 [POL00423690]
D2 Whistleblowing Process Management
98. The following paragraphs set out additional information that I am aware of regarding
developments in how whistleblowing was managed by Post Office, including
responsibilities, training, communications, record keeping, survey / audits and
reporting lines. It is noted that this Section D2 begins in 2017.
99.In April 2017, an email was sent to all staff from Communications which included
reference to whistleblowing and linked to an intranet article [POL00423682].
100. In June 2017, the Financial Crime team (Head of Financial Crime/MLRO and
Senior Financial Crime Manager) took over the day-to-day responsibility for
whistleblowing policy management and communications. Subsequently, in
November 2017, the team also took over responsibility for whistleblowing
investigation logging, assignment, tracking and reporting.
208 Page 251, POL RCC Minutes dated 26 October 2015 [POL00237262]
Page 98 of 141
WITN11190100
WITN11190100
101. An email chain 17 August 2017 between Georgina Blair (Regulatory Risk
Business Partner), Tracy Curtis (Operations Manager — Banking), Vitor Camara
(Finance Crime Manager), and Sally Smith (Head of Financial Crime / MLRO)
[POL00423395] confirmed that there was no whistleblowing training for new joiners
to Post Office but that there were whistleblowing elements in the annual compulsory
Anti-Money Laundering training.?1°
102. In June 2017, the monitoring of whistleblowing was changed from a disparate
activity across Grapevine (Post Office’s physical security contractors which provided
the Post Office Security function such as the use of CCTV and security hotlines),
Customer Support, and the Executive Correspondence Team to a centrally managed
process overseen by the Financial Crime team. The Financial Crime team took over
the day-to-day responsibility for Whistleblowing policy management and
communications. Subsequently in November 2017, the team also took over
responsibility for Whistleblowing investigation logging, assignment, tracking and
reporting.
103. As of March 2018, Sally Smith, the Head of Financial Crime / MLRO, began to
provide regular whistleblowing updates for inclusion within the Financial Crime Risk
Updates, and from October 2018, within combined RCC papers. As outlined above,
updates were provided at every RCC meeting from March 2018 onwards.
20 Email chain dated 17 August 2017, POL00423395)
Page 99 of 141
WITN11190100
WITN11190100
104. The Audit Report [POL00423421 and POL00423514] noted that there was an
awareness campaign launched in May 2018 including a Branch Focus article for
DMBs [POL00423498], an intranet article, and posters in customer support centres,
supply chain sites and DMBs.2"' The absence of annual compulsory whistleblowing
training for investigators was noted. These investigators were described as senior
staff with team management responsibilities. Internal Audit identified a risk that
without root cause resolution unethical/unacceptable behaviours could continue. The
report was distributed to Jane MacLeod (Group Director of Legal Risk &
Governance), Paula Vennels (Group CEO), Mo Kang (Group HR Director), Sally
Smith (Head of Financial Crime / MLRO).
105. Anarticle dated 4 May 2018 explained what whistleblowing was and what might
constitute it in the context of Postmasters and their assistants [POL00423484]. Post
Office has not been able to identify whether this definitively formed part of the
awareness campaign but given the date it is likely that it was. Further awareness
campaigns were noted as being planned for December 2018. It appears that this
included a further update to the intranet page [POL00423473]. Following the May
2018 communications campaign, reports increased from two in May 2018 to six in
June 2018 then dropped back to two each in July, August, and September 2018.21?
106. The poster for Post Office branches [POL00423498] directs the reader to "/ook
for the Whistleblowing poster (stock code) included in your stock delivery for internal
211 Page 4, POL Internal Audit Report, Whistleblowing Process, issued 2 January 2019 POL00423421 and POL00423514.
22 Page 4, POL Internal Audit Report, Whistleblowing Process, issued 2 January 2019 POL00423421 and POL00423514,
Page 100 of 141
WITN11190100
WITN11190100
display". It states that: "Whistleblowing refers to the act of exposing potential or
actual wrongdoing by reporting it internally within an organisation, or externally for
example to a regulator. Post Office is committed to conducting business with the
highest standards of honesty, integrity and openness. Colleagues can raise
concerns in confidence, secure in the knowledge that we will take those concerns
seriously and act on them. Our Whistleblowing Policy sets out the procedure to follow
if a colleague wants to raise a concern. The business will support anyone who raises
a genuine concern, even if it turns out to be mistaken. You will not be treated unfairly
or liable to disciplinary action as a result of doing so". It sets out the three ways
concerns could be raised: by contacting line manager or HR director; contacting the
Speak Up Line or webpage; or contacting the WO by email. It states more information
could be found on the intranet or in the HR Advice Speak Up guidance. I have not
seen a copy of this HR guidance.
107. Monthly MI for whistleblowing was first developed in October 2018 by the then
Financial Crime Manager to help identify systemic issues, training needs and
knowledge gaps. This was sent to the then General Counsel, and subsequently to
the current Group General Counsel in May 2019. An example of whistleblowing MI
for 2019/20 can be found here [POL00423504].
108. In 2019, Ben Foat was appointed Post Office Group General Counsel and
became responsible for whistleblowing within Post Office.
Page 101 of 141
WITN11190100
WITN11190100
109. I have seen an internal audit report by Deloitte, dated 2 January 2019, titled
‘Whistleblowing Process' [POL00423421 and POL00423514]. It was found that Post
Office's whistleblowing processes were 'satisfactory', and it was stated that: “The
Whistleblowing process is well managed by the Financial Crime Team and
monitoring and reporting has been improved since they assumed responsibility a
year ago. The further improvements, both in progress and highlighted here, will help
ensure that Post Office colleagues have confidence to use the process when
appropriate’”?"*. I note some of the key findings as follows, with Deloitte stating that:
(a) The Whistleblowing Policy is broadly in line with good practice, however it was
recommended that: clarification that so called 'gagging clauses’ in settlement
agreements do not prevent whistleblowing; addition on method and type of
feedback that a whistleblower can expect; and indication of the time frame for
investigation and responding’ and clarification that the whistleblower doesn't need
to provide evidence. It was noted that a whistleblowing process document was
being drafted and the report noted that the draft did not include defined criteria
for reporting of serious incidents (as policy states these must be reported to the
Chair of ARC) 2"4.
(b) There was not a signed contract with Expolink?"®.
(c) There was no mechanism in place to confirm and measure staff awareness of
Post Office's whistleblowing arrangements and to gauge success of the
awareness campaign run by Post Office in May 20182"°.
29 Page 1, Internal Audit Report, 'Whistleblowing Process, issued 2 January 2019 [POL00423421 and POL00423514,
24 Page 3, Internal Audit Report, 'Whistleblowing Process’ dated 2 January 2019 POL00423421 and POL00423514,
25 Pages 3-4, Internal Audit Report, ‘Whistleblowing Process’ dated 2 January 2019 POL00423421 and POL00423514,
28 Page 4, Internal Audit Report, 'Whistleblowing Process’ dated 2 January 2019 POL00423421 and POL00423514,
Page 102 of 141
WITN11190100
WITN11190100
(d) Whilst the Anti-Bribery and Corruption training covered Post Office's
whistleblowing arrangements (which staff were required to undertake), there was
no additional training provided to staff with responsibility for investigating
whistleblowing reports. The Investigations Policy had not been reviewed or
updated since September 2016?'7.
(e) There was a lack of root cause analysis in management information to assess
whether similar reports had been made before / steps could be taken to prevent
similar cases in future2"®.
(f) It was noted that Expolink managed the Speak Up line, and that any
whistleblowing reporting received from Grapevine, Customer Support, Executive
Correspondence Team and NBSC is emailed to a secure address monitored by
the Financial Crime Team?"?.
110. There was some work in 2019 to promote Speak Up within Post Office. This
included some intranet articles [POL00423475].
111. The external whistleblowing reporting channels supplier, Expolink Europe Ltd,
was acquired by Navex Global in June 2019. A new contract was entered into
between the Post Office and Navex Global to provide whistleblowing services, and
the Post Office migrated onto Navex Global's new reporting platform.
27 page 5, Internal Audit Report ‘Whistleblowing Process’ dated 2 January 2019 [POL00423421 and POL00423514
28 page 5, Internal Audit Report ‘Whistleblowing Process; dated 2 January 2019 POL00423421 and POL00423514,
2'8 Page 1, Internal Audit Report 'Whistleblowing Process’ dated 2 January 2019 POL00423421 and POL00423514
Page 103 of 141
WITN11190100
WITN11190100
112. An overview of Whistleblowing processes and the changes implemented from
June 2017 was produced by the Head of Financial Crime at the request of Group
General Counsel, when he began the role of Whistleblowing Officer in 2019
[POL00423456].
113. Post Office conducted a staff survey relating to Speak Up and the outcome of
this survey was set out in a word document dated April 2019 and titled ‘Our
Whistleblowing Survey Results’ [POL00423526]. This appeared to be a draft
communication to staff laying out the themes of a whistleblowing survey:
(a) Theme 1: not everyone understood what whistleblowing meant;
(b) Theme 2: not everyone knew where to find the Speak Up policy;
(c) Theme 3: not everyone knew how to make a Speak Up report; and
(d) Theme 4: people raised concerns that reports are not treated confidentially. I
have not seen any examples of why this belief was held at that time.
114. This appears to have been accompanied with a document called 'We Protect
Whistleblower's Anonymity’ [POL00423481], which addressed concerns that
whistleblowing reports might not be confidential. It is unclear to me from the face of
this document whether it was just sent to staff, or Postmasters too. A document
dated June 2019 called “its about following your conscience” also refers to
whistleblowing and repeats how a report can be made [POL00423478]. Post Office
has not been able to identify where this was publicised but given the reference to HR
Director it is likely it was an internal communications message.
Page 104 of 141
WITN11190100
WITN11190100
115. I have seen whistleblowing MI from 2020/2021 [POL00423527]. It sets out the
number of whistleblowing reports made each month from August 2019 to August
2020, broken down into subject type and reporting channel. It also set out who was
investigating the open reports: four were being investigated by Retail, three by
Security, two by the WO, two by Legal, one by Financial Crime, one by IT, one by
HR and one by a GE member.
116. There was a whistleblowing survey conducted in 2020 and reminders were
posted on the intranet about completing the survey [POL00423474; POL00423476].
117. The 2020 ‘Whistleblowing Process’ [POL00423530] states as follows in respect
of reporting and escalation:
(a) The whistleblowing log should be monitored and updated on a regular basis.22°
(b) The information in the log is used to populate MI. Each month, generally in the
first week, the Whistleblowing MI Pack needs to be produced and shared with the
following: Ben Foat (General Counsel); Sally Smith (Head of Financial Crime /
MLRO); Paul Blackmore (Senior Financial Crime Manager); and Jonathan Hill
(Compliance Director).22"
(c) The MI pack should include graphs showing categories, subject types, reporting
channels, reporter type and volumes of cases opened and closed. These graphs
should show a rolling 12 month period to help identify any trends or spikes;
commentary should be provided to support the graphs; any potential issues or
concerns identified through the reports should be raised; any news or media
articles relating to Whistleblowing; updates from any horizon scanning or industry
2 Page 14, Whistleblowing Process 2020 [POL00423534}
%' Page 14, Whistleblowing Process 2020 [POL00423539}
Page 105 of 141
WITN11190100
WITN11190100
forums; any changes or potential changes in legislation; any other work
undertaken as part of the whistleblowing service; and communications planned
and/or published to the business.?22
(d) Details of communications and awareness raising are set out at section 4.3. In
respect of 'upward reporting’, this document sets out the reports which are
produced to inform the business:
(i) The annual whistleblowing report: the report is due in July and presented
to RCC.
(ii) Internal audit report: this was done in January 2019 and the next will be
scheduled.
(iii) Annual MLRO report: whistleblowing is not covered within this report, but
it may be required to advise the MLRO of any financial crime risks or trends
which has been identified through the whistleblowing process?25.
118. Inthe ARC Whistleblowing Policy Review and Report [POL00423545] dated 30
March 2021, the following was noted:
(a) The monthly MI pack was updated to provided more granular data on issues that
are raised by or about Postmasters. Further, a review was undertaken to ensure
there was sufficient understanding across teams that interact with Postmaster
complaints, to ensure reports are passed onto the whistleblowing team?”4.
(b) To address the lack of formal training, a module was developed with
SuccessFactors and all employees would complete it by 1 April 2020 (together
22 Page 14, Whistleblowing Process 2020 [POL004235340}
% Page 15, Whistleblowing Process 2020 [POL00423534)
%4 Page 3, ARC Whistleblowing Policy Review and Report [POL.00423545]
Page 106 of 141
WITN11190100
WITN11190100
with planned communications "for employees and Postmasters to raise
awareness").225
(c) The results of the Protect self-assessment were summarised in Appendix 2.226
(d) A review of the 163 whistleblowing cases received by Post Office between 25
April 2013 and 25 January 2021 was set out at Appendix 1.227
119. As set out at paragraph 68(b) above, one of the changes brought in at this time
by the Whistleblowing Working Group was a Postmaster Complaints Dashboard that
captured MI about complaints from Postmasters via various channels. This was to
be viewed alongside the Whistleblowing MI Dashboard to ensure Postmaster
complaints requiring whistleblowing investigation were captured within
whistleblowing reporting. The Whistleblowing MI Dashboard also contained a
dedicated dashboard for Postmaster whistleblowing.
120. Whistleblowing complaints could be reported to the Speak Up team in the
following ways:
(a) via the Whistleblower’s line manager;
(b) direct to the Whistleblowing Manager;
(c) via a complaint to a front-line team, e.g., Area Managers, customer complaints;
and
(d) by contacting the “Speak Up” line, a confidential reporting service which is
operated by Convercent.
25 Page 3, ARC Whistleblowing Policy Review and Report [POL00423545)
226 Page 9, ARC Whistleblowing Policy Review and Report [POL00423549)
27 Page 7, ARC Whistleblowing Policy Review and Report [POL.00423545]
Page 107 of 141
WITN11190100
WITN11190100
121. Ml reports were collated from various channels / sources of information where
Speak Up reports may have been made, including
(a) Adopt an area — categorised by the Issue Resolution team and logged on
Dynamics (a case management system) (resolved by adopt an area owner and
recorded on SharePoint);
(b) Area managers — logged by the area manager on the call log or branch visit form
and recorded on the Retail Team Postmaster Issues form on PowerApp — for
those resolved by area manager. This data feeds the MI dashboard. For those
escalated to the Issue Resolution team, this will be resolved and logged by this
team on Dynamics and this will feed the MI dashboard;
(c) Branch hub — logged and resolved by the Issue Resolution team on Dynamics;
(d) Branch Support Centre ("BSC") — logged on Dynamics by BSC, escalated if
needed to the Issue Resolution team; and
(e) Customer Complaints team including social media — resolved and logged by
Customer Complaints team or passed over and logged by the Issue Resolution
team on Dynamics.
122. In addition to it featuring as a standing agenda item at monthly GE meetings, the
MI Dashboard were emailed to the Group General Counsel, Group Legal Director
and Whistleblowing Champion on a monthly basis. High priority cases contain
detailed updates, with less detail going into the lower impact cases. As of April 2021,
monthly MI for whistleblowing was anonymised and presented as a standing agenda
item at the GE meeting by Group General Counsel for noting every month.
Page 108 of 141
WITN11190100
WITN11190100
Statement of Truth
I believe the content of this statement to be true.
Page 109 of 141
Index to First Witness Statement of John Bartlett on behalf of Post Office
Limited
WITN11190100
WITN11190100
URN Document Description Production Number
POL0042367
1. Department for Business I POL-BSFF-0238485
° Innovation and Skills'
'‘Whistleblowing: Guidance
for Employers and Code of
Practice’
POL0036229
2. Shareholder Relationship I POL-BSFF-0190809
° Framework Document
POL0042320
3. Royal Mail Group Policy, I POL-BSFF-0238017
‘G07 Employee Confidential
Disclosures’, 02.08.2010
POL0003060
4. Post Office, ‘Speak Up I POL-0027091
° Policy’, 30.04.2012
Page 110 of 141
WITN11190100
WITN11190100
POL0042336
5. Post Office Whistleblowing I POL-BSFF-0238181
6
Policy (v1.4), 27.04.2016
POL0041346
6. Post Office Whistleblowing I POL-0193925
3
Policy (v1.5), 10.06.2016
POL0042339
7. Post Office Whistleblowing I POL-BSFF-0238209
4
Policy? (v1.6), 29.09.2016
POL0042361 POL-BSFF-0238426
8. Post Office Group Policies -
1
Whistleblowing Policy
(1.7)(draft) - August 2018
POL0042357
9. Post Office Whistleblowing I POL-BSFF-0238391
6
Policy* (v1.8) - 21.08.2017
POL0042345
10. Post Office Group Policies - I POL-BSFF-0238266
1
Whistleblowing Policy (v2),
25.09.2017
POL0042357 POL-BSFF-0238394
11. Post Office Group Policies -
9
Whistleblowing Policy (v2.1)
- 10.07.2018
Page 111 of 141
WITN11190100
WITN11190100
POL0042357
12. Post Office Group Policies - I POL-BSFF-0238393
8
Whistleblowing Policy (v2.2)
10.07.2018
POL0042346
13. Post Office Group Policies — I POL-BSFF-0238276
1
Whistleblowing Policy (v3),
29.09.2018
POL0042361
14. Post Office Group Policies — I POL-BSFF-0238428
3
Whistleblowing (v3.1) -
20.09.2018
POL0042358
15. Post Office Group Policies— I POL-BSFF-0238399
4
Whistleblowing (v3.2) - July
2019
POL0042358 POL-BSFF-0238396
16. Post Office Group Policies —
1
Whistleblowing (v3.3) -
04.07.2019
POL0042360
17. Post Office Group Policies —
2 POL-BSFF-0238417
Whistleblowing (v3.4) -
29.07.2019
Page 112 of 141
WITN11190100
WITN11190100
POL0042360
18. Post Office Group Policies— I POL-BSFF-0238418
° Whistleblowing Policy (v4),
19.09.2019
POL0042360
19. Post Office Group Policies - I POL-BSFF-0238419
4 Whistleblowing Policy (v4.1)
- 19.09.2019
POL0042358
20. Post Office Group Policies - I POL-BSFF-0238400
° Whistleblowing Policy (v4.2)
- April 2020
POL0042358 POL-BSFF-0238401
21. Post Office Group Policies -
6 Whistleblowing Policy (v4.3)
- 13.07.2020
22. I POLO003090 Post Office Group Policies— I POL-0027385
3 Whistleblowing Policy (v5),
27.07.2020
POL0042359 POL-BSFF-0238409
23. Post Office Group Policies -
4
Whistleblowing Policy (v5.1)
- 22.07.2020
Page 113 of 141
WITN11190100
WITN11190100
POL0042359
24. Post Office Group Policies - I POL-BSFF-0238411
6
Whistleblowing Policy (v5.3)
- 16.03.2021
POL0042359 POL-BSFF-0238405
25. Post Office Group Policies -
0
Whistleblowing Policy (v5.4).
30.03.2021
26. I POL0041344 Post Office Group Policies— I POL-0193906
4 Whistleblowing Policy (v6),
14.05.2021
POL0042361 POL-BSFF-0238425
27. Post Office Group Policies —
ie}
Whistleblowing Policy (v6.1)
- 14.05.21
POL0042319
28. Post Office Employee I POL-BSFF-0238007
2
Disclosure Policy V1
October 2005
29. Royal Mail Group policy I POL-BSFF-0238017
POL0042320
‘G07: Employee Confidential
2
Disclosures', 2 August 2010
POL0042315
30. Focus online issue 32/06 POL-BSFF-0237965
0
Page 114 of 141
WITN11190100
WITN11190100
POL0042319
31. Royal Mail Group intranet I POL-BSFF-0238010
5
page regarding
Whistleblowing
POL0042315
32. Post Office Limited Internal I POL-BSFF-0237967
2
Audit & Risk Management
Report dated February 2008
POL0042315
33. Post Office Limited POL-BSFF-0237968
3
Employee Disclosure policy
POL0042319
34. Employee Disclosure I POL-BSFF-0238011
6
Guidelines
POL0042338
35. Royal Mail Group Speak Up I POL-BSFF-0238195
0
Hotline Internal Audit & Risk
Management (IA&RM) High
Level Process (draft)
Page 118 of 141
WITN11190100
WITN11190100
POL0042319
36. Fraud, commercial and POL-BSFF-0238012
7
Information Security Review
2009/2010 for Post Office
POL0042320
37. Security Project Initiation I POL-BSFF-0238016
1
Document (PID)
POL0042319
38. Project Plan POL-BSFF-0238014
9
POL0042319
39. Security 4 Weekly Report I POL-BSFF-0238009
4
09/04/2010
POL0042320
40. Project Plan Whistleblower POL-BSFF-0238015
0
POL0042320
41. Whistleblower (Speak Up) In I POL-BSFF-0238019
4
Post Office Ltd, June 2010
POL0042320
42. Whistleblower (Speak Up) In I POL-BSFF-0238020
5
Post Office Ltd, August 2010
Page 116 of 141
WITN11190100
WITN11190100
POL0042320
43. One to one meeting record -— I POL-BSFF-0238018
3
Gary Thomas and Jason
Collins, 20 August 2010
POL0042320
44. Process map POL-BSFF-0238024
9
POL0042367
45. Email chain dated 3 August I POL-BSFF-0238492
4
2010 regarding employee
confidential disclosures
POL0042320
46. Whistleblowing Briefing I POL-BSFF-0238021
6
Paper
POL0042324
47. Grapevine Internal Fraud I POL-BSFF-0238062
7
Reporting Process V.2.0
POL0042320
48. Draft Speak Up policy POL-BSFF-0238022
7
Page 117 of 141
WITN11190100
WITN11190100
POL0042321
49. Email from Wayne Griffiths I POL-BSFF-0238025
ie}
dated 6 October 2011
POL0042321
50. Process for internal fraud I POL-BSFF-0238033
8
reporting
POL0042322
51. Process map POL-BSFF-0238036
1
POL0042324
52. Process for internal fraud I POL-BSFF-0238056
1
reporting v2 February 2013
POL0042367
53. Royal Mail Group draft Code I POL-BSFF-0238494
6
August 2011
POL0042325
54. Email from Georgina Blair to
2
Jessica Madron, 11 June
2013
POL-BSFF-0238067
Page 118 of 141
WITN11190100
WITN11190100
POL0042326
55. Schedule 1 POL-BSFF-0238080
5
POL0042323
56. Post Office Security - Top I POL-BSFF-0238045
0
Ten Tips
POL0042367
57. Email chain dated I POL-BSFF-0238495
7
September 2012 between
Wayne Griffiths and
Georgina Blair
POL0042367
58. Email from Georgina Blair to I POL-BSFF-0238497
9
Joe Connor dated 7
February 2013
POL0042323
59. Email chain from Georgina I POL-BSFF-0238047
2
Blair to others dated May
2012
POL0042323
60. Email from Georgina Blair to I POL-BSFF-0238048
3
Susan Crichton dated 5
October 2012
POL0042323
61. Project Initiation Document I POL-BSFF-0238053
8
dated 19 February 2013
Page 119 of 141
WITN11190100
WITN11190100
POL0042368
62. Email chain from Georgina I POL-BSFF-0238499
1
Blair on 30 October 2014
POL0042325
63. Email chain between Larissa I POL-BSFF-0238071
6
Wilson, Sarah Hall,
Georgina Blair, David
Mason, Sarah Long, and
Alwen Lyons dated 17
November 2014
POL0042325
64. Draft version (0.1) of a I POL-BSFF-0238069
4
Whistleblowing Policy dated
17 February 2014
POL0042329
65. Email chain from Georgina I POL-BSFF-0238107
2
Blair to Jane MacLeod dated
1 April 2015
POL0042332
66. Post Office Whistleblowing
9 POL-BSFF-0238144
Investigations Procedure
2015
Page 120 of 141
WITN11190100
WITN11190100
POL0042329
67. Email chain between Jane I POL-BSFF-0238108
3
MacLeod, Nisha Marwaha,
and Jessica Madron dated
29 July 2015.
POL0042329
68. Email chain between I POL-BSFF-0238109
4
Georgina Blair and Intouch
dated July 2015
POL0042332
69. Draft Whistleblowing Policy, I POL-BSFF-0238142
7
Version 0.4
POL0042330
70. Internal Audit Risk and I POL-BSFF-0238122
7
Compliance Committee
Report, September 2015
POL0042335
71. Executive summary decision I POL-BSFF-0238170
5
paper dated 5 May 2016
POL0042338
72. Post Office Group I POL-BSFF-0238198
3
Investigations Policy (v1),
28.09.2016
Page 121 of 141
WITN11190100
WITN11190100
POL0042366
73. ‘Whistleblowing — high level I POL-BSFF-0238478
3
investigation process and
lifecycle’, undated
POL0042338
74. Email chain between Sally I POL-BSFF-0238204
9
Smith, Georgina Blair and
others dated March 2017
POL0042322
75. Post Office Operations I POL-BSFF-0238044
9
Manual 2008 v2
POL0042338
76. Whistleblowing POL-BSFF-0238203
8
communications, Version 3
POL0042365
77. ‘Whistleblowing Process I POL-BSFF-0238472
7
v1.0’ (known as the "2019
Procedures")
POL0042353
78. Whistleblowing Process V2, POL-BSFF-0238345
0
26 October 2020
POL0042355
79. Postmaster Support Guide,
8 POL-BSFF-0238373
July 2020
Page 122 of 141
WITN11190100
WITN11190100
POL0042350 POL-BSFF-0238322
80. Postmaster Support Guide
7
powerpoint, June 2020
POL0042355
81. Postmaster Onboard Policy,
9 POL-BSFF-0238374
dated March 2021
POL0042368
82. Whistleblowing working I POL-BSFF-0238507
9
group actions and updates
dated 2 February 2021
POL0042354
83. Protect Whistleblowing I POL-BSFF-0238357
2
Report dated 18 February
2021
POL0042354
84. Whistleblowing Policy I POL-BSFF-0238360
5
Review and Report dated 30
March 2021
POL0042361
85. Protect Benchmarking I POL-BSFF-0238430
5
Report on Post Office's
whistleblowing
arrangements, 30 November
2021
POL0042369
86. KPMG Report dated August I POL-BSFF-0238515
7
2021 (draft)
Page 123 of 141
WITN11190100
WITN11190100
POL0036212
87. Board Terms of Reference, POL-BSFF-0190637
7
January 2013
POL0036217
88. Board Terms of Reference, POL-BSFF-0190688
8
February 2015
POL0036219
89. Board Terms of Reference, POL-BSFF-0190701
1
July 2016
POL0042341
90. Board Terms of Reference, POL-BSFF-0238230
5
undated
POL0036213
91. ARC Terms of Reference I POL-BSFF-0190646
6
dated March 2014
POL0042334
92. ARC Terms of Reference I POL-BSFF-0238160
5
dated September 2015
POL0042350
93. ARC Terms of Reference I POL-BSFF-0238318
3
dated April 2020
Page 124 of 141
WITN11190100
WITN11190100
POL0042323
94. POL-BSFF-0238049
4
dated 13 November 2012
POL0042314
95. ARC Meeting Pack, 13 I POL-BSFF-0237956
1
February 2013
POL0002151
96. Board meeting minutes I POL0000043
0
dated 23 January 2013
POL0042314
97. Royal Mail Board minutes I POL-BSFF-0237960
5
dated 6 April 2004
POL0042314
98. Royal Mail Board minutes I POL-BSFF-0237961
6
dated 5 October 2004
POL0042314
99. Royal Mail Holdings ARC POL-BSFF-0237958
3
Minutes dated 11 November
2003
Page 125 of 141
WITN11190100
WITN11190100
POL0042314
100. Royal Mail Holdings ARC I POL-BSFF-0237959
4
Minutes dated 18 March
2004
POL0042314
101. Royal Mail Holdings ARC POL-BSFF-0237962
7
Minutes dated 7 September
2004
POL0042314
102. Royal Mail Holdings ARC I POL-BSFF-0237963
8
Minutes dated 14 March
2006
POL0042314
103. Royal Mail Holdings ARC I POL-BSFF-0237964
9
Minutes dated 2 September
2006
POL0033600
104. Royal Mail Holdings ARC I POL-0183520
6
Quarterly Report September
to October 2006 draft -
November 2006
Page 126 of 141
WITN11190100
WITN11190100
POL0042319
105. ARC minutes from 14 June I POL-BSFF-0238013
8
2010
POL0042314
106. Minutes of the Board POL-BSFF-0237961
6
meeting on 5 October 2005
POL0042323
107. ARC Meeting Pack, 13 I POL-BSFF-0238049
4
November 2012
POL0042367
108. ARC Meeting Minutes, 13 POL-BSFF-0238488
3
February 2013
POL0014532
109. Post Office Board meeting I POL-BSFF-0004454
7
minutes dated 21 May 2013
POL0042350
110. ARC agenda and pack for I POL-BSFF-0238324
9
meeting of 19 May 2016
Page 127 of 141
WITN11190100
WITN11190100
POL0042336
111. ARC meeting minutes dated I POL-BSFF-0238183
8
19 May 2016
POL0002154
112. Post Office Board minutes I POLO0000077
4
dated 29 September 2016
POL0042339
113. ARC pack for meeting of 18 I POL-BSFF-0238205
0
May 2017
POL0042366
114. Whistleblowing Report, May I POL-BSFF-0238484
9
2017
POL0042340
115. ARC meeting minutes dated I POL-BSFF-0238224
9
18 May 2017
POL0042341
116. ARC Financial Crime Risk I POL-BSFF-0238227
2
Update dated 27 March
2018
POL0042341
117. ARC Financial Crime Risk I POL-BSFF-0238228
3
Update dated 17 May 2018
Page 128 of 141
WITN11190100
WITN11190100
POL0042348
118. Do the right thing, SPEAK
3 POL-BSFF-0238298
UP poster dated 19 April
2018Do the right thing,
SPEAK UP poster dated 19
April 2018
POL0002145
119. ARC meeting minutes dated I POL-0018087
7
31 July 2018
POL0042341
120. ARC Compliance Report I POL-BSFF-0238229
4
dated 30 October 2018
POL0042342
121. ARC Compliance Report I POL-BSFF-0238238
3
dated 29 January 2019
POL0042341
122. ARC Internal Audit Report
7 POL-BSFF-0238232
dated 29 January 2019
POL0042345
123. POL ARC Agenda and Pack I POL-BSFF-0238269
4
dated 25 March 2019
Page 129 of 141
WITN11190100
WITN11190100
POL0042296
124. POL ARC Agenda and Pack I POL-BSFF-0237824
8
dated 29 May 2019
POL0042350
125. ARC pack for meeting of 26 I POL-BSFF-0238323
8
July 2019
POL0042358
126. ARC Whistleblowing Review I POL-BSFF-0238398
3
2018-19 dated 29 July 2019
POL0042358
127. Annexure A to ARC
2 POL-BSFF-0238397
Whistleblowing Review
2018-19
POL0042346
128. ARC meeting minutes dated I POL-BSFF-0238281
6
26 July 2019
POL0042346
129. POL ARC Agenda and Pack I POL-BSFF-0238279
4
dated 23 September 2019
POL0042368
130. POL ARC Agenda and Pack I POL-BSFF-0238502
4
dated 25 November 2019
Page 130 of 141
WITN11190100
WITN11190100
POL0042346
131. ARC pack for meeting of 28 I POL-BSFF-0238283
8
January 2020
POL0042350
132. ARC meeting minutes dated I POL-BSFF-0238320
5
28 January 2020
POL0040157
133. POL ARC Agenda and Pack I POL-BSFF-0228247
7
dated 19 May 2020
POL0042351
134. ARC pack for meeting of 27. I POL-BSFF-0238325
ie}
July 2020
POL0042358
135. Annexure A — Annual I POL-BSFF-0238404
9
Whistleblowing Report
2019-20
POL0040160
136. ARC meeting minutes dated I POL-BSFF-0228271
1
27 July 2020
POL0042351
137. ARC Compliance and Audit I POL-BSFF-0238333
8
Report dated 24 November
2020
Page 131 of 141
WITN11190100
WITN11190100
POL0042368
138. POL ARC Compliance and I POL-BSFF-0238503
5
Audit Report dated 26
January 2021
POL0042369
139. ARC meeting pack dated 30 I POL-BSFF-0238508
0
March 2021
POL0042367
140. ARC meeting minutes dated I POL-BSFF-0238487
2
September 2021
POL0042359
141. Appendix A to I POL-BSFF-0238414
9
Whistleblowing Report
2020/2021
POL0042334
142. Post Office Risk and POL-BSFF-0238162
7
Compliance Committee
decision paper titled 'Review
of RCC Terms of Reference’,
5 May 2016, which contains
RCC Terms of Reference
dated March 2015
POL0042325
143. RCC Terms of Reference, POL-BSFF-0238070
5
March 2014
Page 132 of 141
WITN11190100
WITN11190100
POL0042338
144. RCC Terms of Reference, POL-BSFF-0238201
6
July 2016
POL0042352
145. RCC Terms of Reference, POL-BSFF-0238335
0
December 2020
POL0042357
146. RCC Minutes (which state I POL-BSFF-0238388
3
the meeting date was 21
January 2015, but is dated
16 March 2015)
POL0042356
147. Risk and Annual Committee I POL-BSFF-0238378
3
Annual Agenda
POL0042357
148. RCC minutes dated 16 I POL-BSFF-0238387
2
March 2015
POL0042329
149. RCC minutes dated 1 May I POL-BSFF-0238112
7
2015
Page 133 of 141
WITN11190100
WITN11190100
POL0042356
150. The Code: Questions for I POL-BSFF-0238379
4
board to consider in its
annual assessment process
POL0042337
151. RCC minutes dated 6 I POL-BSFF-0238185
0
August 2015
POL0042331
152. RCC minutes dated 7 POL-BSFF-0238125
0
September 2015
POL0042336
153. RCC Minutes, 05.05.2016 POL-BSFF-0238182
7
POL0042356
154. RCC Meeting Pack, POL-BSFF-0238380
5
05.05.2016
POL0042337
155. RCC Minutes, 08.09.2016 POL-BSFF-0238192
7
POL0042356
156. RCC Meeting Pack,
6 POL-BSFF-0238381
08.09.2015
Page 134 of 141
WITN11190100
WITN11190100
POL0042339
157. RCC Minutes, 04.05.2017 POL-BSFF-0238206
1
158. RCC Meeting ~— Pack, I POL-BSFF+
04.05.2017
POL0042341
159. RCC Minutes, 13.09.2017 POL-BSFF-0238225
0
POL0042369
160. RCC Meeting Pack, I POL-BSFF-0238511
3
13.09.2017
POL0042357
161. RCC Minutes, 10.07.2018 POL-BSFF-0238389
4
POL0040162
162. RCC Meeting Pack, POL-BSFF-0228297
7
10.07.2018
POL0042348
163. One article: Whistleblowing
2 POL-BSFF-0238297
Poster — Supply Chain
Page 135 of 141
WITN11190100
WITN11190100
POL0042347
164. Speaking up is the ultimate
7 POL-BSFF-0238292
act of loyalty — July 2019
POL0042346
165. RCC Minutes, 09.05.2019 POL-BSFF-0238275
0
POL0042356
166. RCC Meeting Pack, I POL-BSFF-0238382
7
09.05.2019
POL0042346
167. RCC Minutes, 04.07.2019 POL-BSFF-0238277
2
POL0042356
168. RCC Meeting Pack, I POL-BSFF-0238383
8
04.07.2019
POL0042351
169. RCC Minutes, 06.05.2020 POL-BSFF-0238327
2
POL0042356
170. RCC Meeting Pack,
9 POL-BSFF-0238384
06.05.2020
Page 136 of 141
WITN11190100
WITN11190100
POL0040161
171. RCC Minutes, 13.07.2020 POL-BSFF-0228284
4
POL0042357
172. RCC Meeting Pack, I POL-BSFF-0238385
0
13.07.2020
POL0042351
173. RCC Meeting Minutes, I POL-BSFF-0238334
9
12.11.2020
POL0042357
174. RCC Meeting Pack, I POL-BSFF-0238386
1
12.11.2020
POL0042353
175. RCC Meeting Minutes, / POL-BSFF-0238351
6
12.01.2021
POL0042369
176. RCC Meeting Pack, POL-BSFF-0238512
4
12.01.2021
POL0042369
177. RCC Meeting Minutes, I POL-BSFF-0238510
2
16.03.2021
Page 137 of 141
WITN11190100
WITN11190100
POL0042369
178. RCC Meeting Pack, I POL-BSFF-0238513
5
16.03.2021
POL0042325
179. GE Terms of Reference I POL-BSFF-0238074
9
dated February 2015
POL0042338
180. GE Terms of Reference I POL-BSFF-0238199
4
dated December 2016
POL0042353
181. GE Terms of Reference I POL-BSFF-0238354
9
dated November 2020
POL0023726
182. GE meeting pack dated 17 I POL-BSFF-0075325
2
December 2015, which
includes RCC minutes from
26 October 2015
POL0042368
183. Email from One Post Office I POL-BSFF-0238500
2
to staff dated 10 April 2017
POL0042339
184. Email chain between I POL-BSFF-0238210
5
Georgina Blair, Tracy Curtis,
Page 138 of 141
WITN11190100
WITN11190100
Vitor Camara, and Sally
Smith, 17 August 2017
POL0042342
185. Internal Audit Report titled I POL-BSFF-0238236
1
‘Whistleblowing Process”, 2
January 2019
POL0042351
186. POL Internal Audit Report, POL-BSFF-0238329
4
Whistleblowing Process,
issued 2 January 2019
POL0042349
187. Document titled ‘Branch I POL-BSFF-0238313
8
focus: Whistleblower Poster
— DMBs only’, undated
POL0042348
188. Whistleblowing article dated I POL-BSFF-0238299
4
4 May 2018
POL0042347
189. Do the right thing SPEAK UP POL-BSFF-0238288
3
intranet page, 31 December
2018
Page 139 of 141
WITN11190100
WITN11190100
POL0042350
190. Whistleblowing MI for I POL-BSFF-0238319
4
2019/20
POL0042347 POL-BSFF-0238290
191. January 2019 Intranet post
5
“Do the right thing, SPEAK
UP”
POL0042345
192. Overview of Whistleblowing I POL-BSFF-0238271
6
processes produced by the
Head of Financial Crime,
2019
POL0042352
193. “Our Whistleblowing Survey I POL-BSFF-0238341
6
Results”, April 2019
POL0042348
194. “We protect whistleblowers’ I POL-BSFF-0238296
1
anonymity”, undated
POL0042347
195. “It's about following your
8 POL-BSFF-0238293
conscience” dated June
2019
Page 140 of 141
WITN11190100
WITN11190100
POL0042352
196. Whistleblowing MI 20-21 POL-BSFF-0238342
7
POL0042347
197. Intranet survey reminder I POL-BSFF-0238289
4
messages dated 18
February 2019 and 25
February 2019
POL0042347
198. Intranet message I POL-BSFF-0238291
6
“Whistleblowing: Your views
count” - January 2019
Page 141 of 141