We are committed to sound business conduct. We therefore manage our business according to applicable laws and regulations and according to the PostNL Business Principles, which provide guidance on interaction with colleagues, customers, business partners and society in general. A company-wide integrity programme ensures that the Business Principles are applied consistently throughout the organisation.
The Integrity Committee advises and assists the Board of Management in developing, implementing, and monitoring Group policies and procedures aimed at enhancing integrity and ethical behaviour as well as preventing fraud, corruption and bribery. The Integrity Committee is composed of the director Audit & Security, the manager Integrity Office, the Corporate Security Officer, the director Legal, the manager People Development, the director Communication & Investor Relations, the director Wholesale, and the director Operations Parcels Benelux.
The Integrity Committee oversees investigations based on reports of possible breaches filed under the PostNL Business Principles, the PostNL Group procedure on whistleblowing and the PostNL Group procedure on fraud prevention, anti-bribery, and anti-corruption.
PostNL recognises the need to have detailed fraud prevention and anti-bribery and anti-corruption policies, procedures and reporting mechanisms in place to protect our business integrity and to comply with all applicable laws and regulations. Anti-bribery and anti-corruption legislation, both in our home country and the countries we operate in, is very important for PostNL to conduct its business globally. All reported incidents of actual or suspected corruption or bribery will be promptly and thoroughly investigated and dealt with appropriately.
The Integrity Committee advises the Board of Management and line management on the mitigation of fraud risks and on ethical, anti-bribery and anti-corruption matters. The Integrity Committee reports quarterly to the Board of Management and every six months to the Supervisory Board.
The focus of our integrity approach is to regularly ensure our employees are familiar with the PostNL Business Principles. Our company-wide e-learning module on integrity is mandatory for management and for office workers, and voluntary for production staff. The module is part of our regular onboarding programme. Through this e-learning module on integrity we aim to educate management and employees about our Business Principles, and the desired behaviour based on these principles.
In accordance with the requirements of the Corporate Governance Code, we also performed an assessment connected to the organisational awareness with our business principles. The ‘Employee engagement monitor 2020’ addressed employees' familiarity with the PostNL Business Principles, and their perception whether we work according to the PostNL Business Principles. The main outcome of this assessment in 2020 showed that 85.8% of the responders are (partly) familiar with the PostNL Business Principles. Of this 85.8%, in total 59.4% perceive that PostNL mostly works according to the PostNL Business Principles and 14.9% perceive this as continuously. We use the outcome of the monitor as input for our integrity approach and our activities at the PostNL Group companies.
During the year we started 636 investigations in response to integrity-related issues. These investigations covered issues such as theft of mail or parcels, bribery and corruption, or failure to follow workplace practices. This resulted in 235 discontinued work relationships. At year-end 2020, 57 investigations were ongoing. To the best of our knowledge, we had no cases of bribery or corruption that had a significant impact on our business.
Although not identified as key risks, we have identified risks of bribery and corruption in the area of procurement, where breaches to our policies could occur between suppliers and PostNL employees.
We manage our digital information and processes across the organisation by ensuring that we secure the data, systems and applications that PostNL uses within its business processes. We have a Cyber Security policy in place, which guides the business on how to effectively implement cyber security. To help manage our cyber security risks, we first acquire a complete understanding of the systems, data and capabilities we operate across the business. We then develop and implement appropriate protective measures, such as controlling access to digital and physical assets, providing awareness, implementing processes to secure data, maintaining baseline network configurations and operations to repair components quickly and deploy technology to ensure cyber resilience.
We regularly perform internal control testing of IT general controls including identity & access management, change management and incident management and we have centralized processes in place to mitigate cyber security threats such as single sign-on and multi-factor authentication, patch management, firewall management and back-up and recovery management.
In addition in 2020 we have started to explicitly address cyber security in our review of internal controls performed by our suppliers since most of our critical application are implemented based on SaaS and Cloud principles. This assessment will be continued in 2021.
PostNL believes that it is vital to handle the personal data of its customers and consumers with due care and adheres to all applicable laws and regulations. The most notable of these is the General Data Protection Regulation (GDPR), which is further elaborated on in the General Data Protection Regulation Implementation Act.
We have established a Group Policy on Privacy which outlines the fundamental principles we adhere to as a company regarding the use of personal data. These principles are in line with PostNL's Business Principles. We strive to provide high-quality services, in which reliability is an important factor. We therefore view the protection and careful handling of personal data as an important precondition for further innovation and development of our services. To help achieve this, we have set up governance, processes and procedures (including a processing register, process reporting data leaks, process rights of the person concerned, implementation of DPIAs, Privacy by Design) to adequately implement the 'accountability' in the field of the protection of personal data.
PostNL’s Group policies and procedures reflect and define the view of the Board of Management and the way we conduct our business.
Performance and compliance are integral parts of our ERM approach and are monitored regularly in discussions between the appropriate line management and the Board of Management via dedicated compliance reviews, internal audits, through the monitoring duties of PostNL committees and through the internal letter of representation. For the purposes of issuing the letter of representation, all managing directors and finance directors of PostNL’s Group entities and company-level management reporting directly to the Board of Management perform a self-assessment of their responsibilities in the risk assessment process, effectiveness of internal controls procedures and financial and non-financial reporting process. The signed internal letters of representation are the basis for the letter of representation that the Board of Management signs off as part of the audit by the external auditor.