The risk that NS fails to comply with legislation and regulations or that NS violates (internal) norms and values, which may result in disadvantages for passengers, staff or other stakeholders, reputational damage, financial losses or sanctions from supervisory authorities.
NS aims to have properly controlled business operations, in which incidents are rare occurrences and legislation and regulations are complied with. To keep the number of incidents to a minimum, NS needs to fulfil a number of conditions. There should be a safe environment in which we can openly discuss incidents and carry out investigations into the background behind incidents in a way that increases our understanding. Learning from reports and situations can let NS generate insights and take measures to prevent recurrences.
New and changed legislation and regulations must be translated into specific policies that we can then implement in the organisation with supporting processes and systems.
NS complies with national and international legislation and regulations. The Integrity & Compliance department took further shape in 2018 and is now in a position to perform all its tasks. Policy has been formulated and a framework drawn up that clarifies the links with other departments and issues. The sessions we have organised during various team days and meetings have raised awareness among staff of the Integrity Portal. The information in the Integrity Portal is updated and supplemented regularly in response to the latest developments. In 2018, the NS scheme for reporting integrity issues (including ‘whistle-blower’ reports) was reviewed and amended. This was prompted by the GDPR legislation and the lessons learned. The NS Integrity Desk ensures that irregularities or suspicions of irregularities can be reported safely.
In response to the irregularities in the public transport tender in Limburg in 2015, the consultancy firm Alvarez & Marsal was commissioned by our shareholder and our Supervisory Board to carry out an investigation into the effectiveness of governance, risk and compliance (GRC) within NS. The investigation report concluded: “The GRC organisation within NS is not on a sufficiently sound footing to prevent irregularities and unethical conduct to the maximum extent possible and promote the desired conduct.” Based on the conclusions and recommendations in the investigation report, NS has drawn up an improvement plan with specific objectives and actions. Nearly all measures have now been tackled. Some measures will take several years to implement, because they affect the entire organisation or because they are extensive by their very nature. In 2017, NS started a company-wide programme to encourage a culture of openness, taking responsibility and exemplary conduct throughout the organisation.
In 2018, NS organised sessions on a broad scale to encourage a more open and safer culture. These sessions were held among all levels of the organisation and always keyed into the questions and dilemmas that were relevant for the team or department in question. Delays or shortcomings in the compliance by NS with legislation and regulations may also result in reprimands, fines, court cases, claims and reputational damage. In 2018, we paid specific attention to the GDPR, which came into effect in May 2018. We set up and facilitated the transfer of expertise and the associated policy. The GDPR project team was disbanded at the end of 2018.
In close collaboration with ProRail, we set up a portal in which we offer services and facilities to all carriers in the context of the Railways Act in a transparent and non-discriminatory way.
Risk control trend
The structure and the strategy of the NS organisation have been incorporated in the business operations, and are supported by measures. Enhancing a culture of openness and approachability is a less straightforward change to make. Progress has been made in both areas (structure and culture) in 2018, and additional steps have been planned for 2019. This means our risk control has improved.