NS has adopted a three-lines-of-defence model to make sure the risks are managed as an integral whole. The guiding principle in this model is that the first line of defence (the operational business) is responsible for the control of its processes. The second line of defence (which includes risk management), provides support and advice and makes sure that line managers are fulfilling their responsibilities as intended. The third line of defence (internal audit) carries out independent checks to make sure that the system of risk management and internal controls is indeed working properly.

NS is exposed to various risks on a daily basis as it delivers its services. We subdivide these risks into strategic, operational, financial (reporting) and compliance risks. Effective risk management is crucial if risks are to be controlled properly. The NS Risk Framework helps make sure that we handle the most important risks appropriately when taking decisions and in day-to-day business operations.

Organisation, governance and reporting

The business units and the Executive Board are responsible for managing the risks. Risks are therefore assigned an ‘owner’ within the organisation. Risk managers support the operational departments by helping to identify the risks and monitoring progress in the control of significant risks. To achieve a more uniform and independent way of working and be able to deploy the risk managers more widely, the risk managers report to the Risk Management Director.
The risks for each business unit are reported every quarter and discussed in the Executive Board as part of the planning and control cycle. Risks that exceed the tolerance thresholds are reported immediately. The Executive Board reports on and renders an account of the risk management system and internal control to the Supervisory Board after discussing this in the Risk and Audit Committee.

Risk management system

NS has implemented a system for the identification and control of risks. We identify risks, deal with them and report on them. More attention is being paid to the quantification of risks, both in strategic decision-making and in the day-to-day business operations. Managerial control is strengthened by the establishment of integrated risk management in conjunction with the operational side and by systematically making risk assessments (in the light of the ‘risk appetite’). This will help us to detect potential bottlenecks or opportunities at an early stage and make targeted and proactive changes in response.

Risk appetite and risk tolerance

In 2016, the Executive Board redefined its risk appetite for eight themes. The Executive Board’s definition of its risk appetite is given below.

Compared with last year, the Executive Board has changed its risk appetite in the category ‘Reputation’ from neutral to averse. The risk appetite for the category ‘Growth’ has shifted from neutral to open. The risk appetite acts as a guide in determining tolerance levels (thresholds) for objectives and KPIs. As part of the Business Plan and budget process, threshold values have been determined for the main NS KPIs. Further implementation of the KPIs and associated thresholds will take place within the organisation in 2017 to ensure that all staff are directly involved in achieving the objectives and managing risks.

Risk identification and risk control

NS has introduced a system for identifying and controlling risks. Risk assessments of key programmes, projects and processes are carried out within the business units on a regular basis. The Executive Board discusses the risks at regular intervals. NS records these risks in risk registers. NS Risk advises the Executive Board and Supervisory Board, among other things, on proposed investments of more than €5 million, for example investments in rolling stock or real estate, and on bids for franchises in the Netherlands and abroad. NS Risk does this together with the Business Control Group and NS Legal. NS also has a business control incident scheme, the aim of which is to respond to any incidents by looking into possible shortcomings in the internal control system and making improvements accordingly.

Tools and IT support

NS also carries out stress tests in some circumstances. Risks with a high priority are investigated further using bow-tie analyses. This gives us a good understanding of the causes and consequences of the risks, as well as the control measures in place and those that are lacking. We do not yet have an integrated Enterprise Risk Management tool or system. This will be set up in the course of the next few years, possible as part of a broader governance, risk and compliance tool.

Risk culture

Risk management must become part of our DNA, but without hindering the business operations. In 2017, a corporate culture programme will start at NS that incorporates risk management. This should increase risk awareness among staff.

Statement by the Executive Board

The Executive Board believes that the risk management and internal control systems relating to the financial reporting risks in the financial year functioned satisfactorily and give a reasonable degree of assurance that the financial reports do not contain any material misstatements. The Executive Board states that as far as it is aware:

• the financial statements give a true and fair view of the assets, liabilities, financial position and profits of NS and the companies included in the consolidation as a whole;

• the annual report gives a true and fair view of the situation on the balance sheet date and the course of business during the financial year;

• the annual report contains a description of the principal risks NS is facing.