We are committed to sound business conduct. We therefore manage our business according to applicable laws and regulations and according to the PostNL Business Principles, which provide guidance on interaction with colleagues, customers, business partners and society in general. A company-wide integrity programme ensures that the Business Principles are applied consistently throughout the organisation.
The Integrity Committee advises and assists the Board of Management in developing, implementing, and monitoring Group policies and procedures aimed at enhancing integrity and ethical behaviour as well as preventing fraud, corruption and bribery. The Integrity Committee is composed of the director Audit & Security, the manager Integrity Office, the Corporate Security Officer, the director Legal, the manager People Development, the director Communication & Investor Relations, the director Wholesale, and the director Operations Parcels Benelux.
The Integrity Committee oversees investigations based on reports of possible breaches filed under the PostNL Business Principles, the PostNL Group procedure on whistleblowing and the PostNL Group procedure on fraud prevention, anti-bribery, and anti-corruption.
PostNL recognises the need to have detailed fraud prevention and anti-bribery and anti-corruption policies, procedures and reporting mechanisms in place to protect our business integrity and to comply with all applicable laws and regulations. Anti-bribery and anti-corruption legislation, both in our home country and the countries we operate in, is very important for PostNL to conduct its business globally. All reported incidents of actual or suspected corruption or bribery will be promptly and thoroughly investigated and dealt with appropriately.
The Integrity Committee advises the Board of Management and line management on the mitigation of fraud risks and on ethical, anti-bribery and anti-corruption matters. The Integrity Committee reports quarterly to the Board of Management and every six months to the Supervisory Board.
The focus of our integrity approach is to regularly ensure our employees are familiar with the PostNL Business Principles. Our company-wide e-learning 2019 module on integrity has been mandatory for management and for office workers, and voluntary for production workers. The module is part of our regular onboarding programme.
Through this e-learning module on integrity we aim to educate management and employees about our Business Principles, and the desired behaviour based on these principles. As of 2021, the completion rate for this module was nearly 100%.
In accordance with the requirements of the Corporate Governance Code, we also performed an assessment connected to the organisational awareness with our business principles. The ‘Employee engagement monitor 2021’ addressed employees' familiarity with the PostNL Business Principles, and their perception as to whether we work according to the PostNL Business Principles. The main outcome of this assessment in 2021 showed that 86% of the responders are (partly) familiar with the PostNL Business Principles. Of this 86%, in total 60% perceive that PostNL mostly works according to the PostNL Business Principles and 16% perceive this as continuously. This outcome represents a slight improvement compared to 2020. We use the outcome of the monitor as input for continuous improvement of our integrity approach and our activities at the PostNL Group companies.
During the year we started 829 investigations in response to integrity-related issues. These investigations covered issues such as theft of mail or parcels, bribery and corruption, or failure to follow workplace practices. The investigations resulted in 172 discontinued work relationships. At year-end 2021, 67 investigations were ongoing.
The integrity-related investigations include cases of alleged (sexual) harassment and discrimination, and in 2021 we investigated 169 reported incidents connected to (sexual) harassment and discrimination allegations. We are continuously working to improve awareness on these issues, such as through direct employee communication, dialogue with line management and HR representatives, and following up on reported integrity-related incidents. We work hard to create an environment across the company where people feel safe and empowered to speak up.
In addition to case-specific investigations, we apply trend analysis to these incidents to identify recurring topics that require further preventive actions. To the best of our knowledge, in 2021 we had no cases of bribery or corruption that had a significant impact on our business.
As we become more dependent on systems and data, cyber security is becoming increasingly important. We manage our digital information and processes across the organisation by ensuring that we secure the data, systems and applications that PostNL uses within its business processes. We have a Cyber Security policy in place to guide the business on how to effectively implement cyber security. To help manage our cyber security risks, we first acquire a complete understanding of the systems, data and capabilities we operate across the business. We then develop and implement appropriate protective measures, such as controlling access to digital and physical assets, providing awareness, implementing processes to secure data, maintaining baseline network configurations and operations to repair components quickly and deploy technology to ensure cyber resilience.
We regularly perform internal control testing of IT general controls including identity & access management, change management and incident management and we have centralised processes in place to mitigate cyber security threats such as single sign-on and multi-factor authentication, patch management, firewall management and back-up and recovery management.
In 2021, we continued to explicitly address cyber security in our review of internal controls performed by our suppliers since most of our critical applications are implemented based on SaaS and Cloud principles. This assessment will be continued in 2022.
During the year we identified three cyber security incidents, all related to DDOS attracts in our operating systems. These incidents were swiftly resolved and had no direct impact our service delivery.
PostNL believes that it is vital to handle the personal data of its customers and consumers with due care and adheres to all applicable laws and regulations. The most notable of these is the General Data Protection Regulation (GDPR), which is further elaborated on in the General Data Protection Regulation Implementation Act.
We have established a Group Policy on Privacy which outlines the fundamental principles we adhere to as a company regarding the use of personal data. These principles are in line with PostNL's Business Principles. We strive to provide high-quality services, in which reliability is an important factor. We therefore view the protection and careful handling of personal data as an important precondition for further innovation and development of our services. To help achieve this, we have set up governance, processes and procedures to adequately implement the 'accountability' in the field of the protection of personal data. This includes a processing register, a reporting process for data breaches, process for handling the rights of the person concerned, implementation of data privacy impact assessments, and the application of the Privacy by Design principle in development of new processes and systems.
PostNL also established a data governance board to provide oversight on how we use and protect data. The board discussed different data-related topics, including, for example, digital ethics. To the best of our knowledge, there were no substantiated complaints received from customers in relation to breaches of their privacy.
In order to prevent any threat which could adversely affect the business of PostNL and its stakeholders, PostNL is committed to ensuring its operations are secure. The Group Policy on Security outlines the mandate of the Security function within PostNL and to define the responsibilities relating to security matters. On other words, to ensure that adequate measures, procedures, checks and balances are in place, regarding asset protection, loss prevention and security information management.
PostNL’s Group policies and procedures reflect and define the view of the Board of Management and the way we conduct our business. Performance and compliance are integral parts of our enterprise risk management approach and are monitored regularly in discussions between the appropriate line management and the Board of Management via dedicated compliance reviews, internal audits, through the monitoring duties of PostNL committees and through the internal letter of representation. Once a year, a compliance report is presented to the Executive Committee. This report provides a comprehensive overview of compliance on various topics, which are identified based on risk, and which are assessed applying a systems-oriented approach. This is based on a maturity model and a framework of compliance control standards. Recommendations to further improve compliance at PostNL are part of this report.
For the purposes of issuing the letter of representation, all managing directors and finance directors of PostNL’s Group entities and company-level management reporting directly to the Board of Management perform a self-assessment of their responsibilities in the risk assessment process, effectiveness of internal controls procedures, compliance with laws and regulations, and financial and non-financial reporting process. The signed internal letters of representation are the basis for the letter of representation that the Board of Management signs off as part of the audit by the external auditor.