Regulatory compliance management

PostNL believes that laws and regulations are designed to protect all members of society and our environment. Compliance forms part of our internal control and governance frameworks. We operate in a sector that is defined by continually developing regulations, and in this paragraph we outline our approach, our focus, and the main regulatory developments in 2023.

Our Approach to compliance

We manage compliance in a management process based on a compliance framework and continuous improvement. Dedicated compliance officers facilitate and challenge management on a regular basis on different elements in the process.

At PostNL, we have identified ten compliance domains. These domains include the Dutch and Belgian postal law, competition law, transport regulations, environmental laws and regulations, tax regulations, data protection and privacy regulations, and labour and social laws.

For each domain, the required maturity level of our compliance management is determined based on a maturity model. The level of compliance management may vary depending on the size, exposure and risks for different entities. We then evaluate, based on the COSO ERM 2017 framework, how compliance can be demonstrated for each relevant area per reporting entity through our compliance risk management, internal control and internal audit processes.

Business management is responsible for ensuring adherence to regulatory requirements as well as monitoring performance, and is supported by staff functions and dedicated compliance officers. Management is required to confirm its responsibility for the compliance with laws and regulations by its legal entities. As a final step, we assess and report the status of compliance on a quarterly basis to both line management and our governance bodies.

Focus areas in 2023

Based on our internal control assessments and internal audit findings, for the vast majority of laws and regulations we did not identify significant deficiencies relating to compliance-mitigating activities that require follow-up. Our four focus areas for 2023 were to make further improvements in our implementation of the Three Lines Model, the Human Rights compliance management system, Privacy and AI compliance controls and in Compliance in our value chain with key focus on delivery partners.

Three Lines Model

In 2023, we continued to focus on the implementation of the Three Lines Model for the 10 key compliance domains. We defined and agreed upon roles and responsibilities with EC members by explicitly identifying first, second and third line defense for these compliance domains. Connected to this, we remained focused on the underlying soft controls, or 'cultural drivers', and started to measure the risk-aware compliance culture in the company.

Human Rights compliance management system

We have started in 2023 a company-wide project on improving the compliance management processes aimed at safeguarding human rights for all persons working with or at PostNL. Being a large employer in the Netherlands, this topic is significant for PostNL. We implement the approach and criteria of the SA 8000 management system by systematically reviewing our current policies and management processes connected to the human rights topics as defined by the ILO, UNGC and the OECD.

In 2023 we completed our improvement efforts connected to the topics Child labour, Discrimination, Remuneration and Disciplinary practices. Early 2024 we aim to complete the remaining topics Forced or compulsory labour, Freedom of association & rights to collective bargaining, Working hours and Health and safety.

Privacy and AI compliance controls

In 2023 we performed an integral review of the current status and adequacy of our privacy control framework as a follow-up on the earlier GDPR implementation. We have reviewed whether all privacy relevant data processing is recognized and recorded. And next we have reviewed that for all high risk data processing the adequate privacy impact assessments are in place. Also, the privacy relevant incident management and reporting procedures have been re-evaluated.

Connected to the ethical risks in Artificial Intelligence (including Machine Learning and Robotics) we have developed in 2022 a Digital Ethics risk management process. In 2023 we performed an assessment on all AI related technology already in place at PostNL to validate the extent that this technology works within the boundaries of our Business Principles and other ethical standards at PostNL. As a next step, we are implementing this risk management process as a standard step in our Agile IT development organization to safeguard that newly developed tools also adhere to the Digital Ethics requirements.

Compliance in our value chain 

Stakeholders increasingly expect large companies such as PostNL to lead by example through their influence on value chains. Responsibility along the value chain is a relevant topic in the public arena. As a large company, we proactively contribute to improvements in our value chain across a broad range of topics, even when this goes beyond our own responsibility under applicable laws and regulations. This applies to areas such as the transport and handling of dangerous goods, environmental compliance, responsible (international) procurement, Foreign Nationals Employment Act (Wet Arbeid Vreemdelingen), and the Labour Market Fraud Act (Wet Aanpak Schijnconstructies). Connected to the two last laws, we included specific controls in our hiring and onboarding process applicable to all persons working for or at PostNL.

In 2023, we continued to introduce structural improvements, including more stringent compliance checks at those delivery partners we do business with in the Netherlands and Belgium. Our newly created due diligence process for delivery partners is designed to cover several important compliance and ESG topics. The process is based on the OECD Due Diligence Guidance for Responsible Business Conduct and will be implemented in the first half of 2024.