Our approach

Introduction

We view compliance with all relevant laws and regulations as an integral part of doing business. Business management is responsible for ensuring adherence to regulatory requirements as well as monitoring performance, and is supported by staff functions. Compliance forms part of our internal control and governance frameworks.

At PostNL we have identified more than 30 relevant compliance areas requiring our management's attention. Depending on the business activities of our entities, different compliance areas need to be managed, including but not limited to Dutch postal law, competition law, transport regulations, tax regulations, data protection and privacy regulations, and labour and social laws.

In relation to sustainable development, stakeholders increasingly expect large companies such as PostNL to lead by example through their influence on value chains. This means that beyond compliance in relation to direct activities, we are expected to stimulate and in some cases assume responsibility for the compliance of our business partners.

This applies to areas such as transport and handling of dangerous goods, environmental compliance, responsible (international) procurement, Foreign Nationals Employment Act (Wet Arbeid Vreemdelingen), and the Labour Market Fraud Act (Wet Aanpak Schijnconstructies).

Our framework

Applying a compliance management cycle

We manage compliance in a management process based on a compliance framework. Dedicated compliance officers facilitate and challenge management on a regular basis on different elements in the cycle. First, relevant compliance areas are updated in collaboration with the business. For each area, the required maturity level of our compliance management is determined based on a maturity model. The level of compliance management may vary depending on the size, exposure and risks for different entities. We then evaluate, based on the COSO framework, how compliance can be demonstrated for each relevant area per reporting entity through our risk management, internal control and internal audit processes. And as a final step we assess and report the status of compliance to both line management and our formal governance bodies.

Status and summary of main developments in 2021

Based on our internal control assessments and internal audit findings, for the vast majority of laws and regulations we did not identify relevant deficiencies relating to compliance-mitigating activities that require follow-up. We identified the following two areas for improvement: compliance in our value chain and implementation of the Three Lines Model.

Compliance in our value chain

Responsibility along the value chain has become an increasingly relevant topic in the public arena. As a large company, we want to proactively contribute to improvements in our value chain across a broad range of topics, even though this goes beyond our own responsibility under applicable laws and regulations. We believe our efforts are important because they can help limit the risk of issues impacting our people, our customers, and the company.

Based on a number of events that took place during the first half of 2021, we concluded that some domains require additional investigation and improvement. This related in particular to the Foreign Nationals Employment Act (Wet Arbeid Vreemdelingen), the Labour Market Fraud Act (Wet Aanpak Schijnconstructies) and the situation in Belgium relating to labour and social laws.

Improvements include more stringent compliance checks at the logistics partners we do business with. In 2021, we began making process and IT improvements to better facilitate these checks. In Belgium, we established a dedicated project team that has started engaging with a range of relevant stakeholders on possible improvements that can be implemented across the sector, as well as developments relating to potential new regulations.

Three Lines Model

There are a variety of different ways in which a company can ensure compliance, including the division of roles and responsibilities, their setup and how they are carried out. Because we view compliance as an integral part of our business, in 2021 we took the decision to begin moving to the Three Lines Model.

The model is based on explicit divisions of responsibility between the first line (the provision of services to customers and managing risk), the second line (expertise, support, monitoring and challenging) and the third line (internal audit). Line management is responsible for both the first and second line. The model, which helps build management awareness on how to manage compliance, will be gradually implemented in 2022.