Risk management is all about deliberately tackling uncertainties that could impede the achievement of the strategic objectives. To provide a picture of risk management at NS, this chapter looks at risk appetite, the organisation of risk management and the key risks.
Risk appetite and risk tolerance
The risk appetite and risk management we are aiming for in six risk themes at NS can be found in what are called the ‘risk appetite statements’. Each risk theme is linked to specific performance indicators with a quantitative bandwidth. Every year, the Executive Board evaluates and, if necessary, adjusts the risk appetite in each theme.
Explanation, NS accepts
Zero or minimal deviations from safety objectives
Zero or minimal deviations from integrity & compliance objectives
Zero or minimal deviations from operational objectives and franchise KPIs
Zero or minimal deviations from financial objectives
Zero or minimal deviations from reputation objectives
Wider deviations from sustainability objectives
There are quarterly assessments and reports showing whether the NS-wide risk profile is still in line with the risk appetite. These reports show the risk profile for each theme in comparison with the defined risk appetite and the key (group-wide) risks that are monitored by the Executive and Supervisory Boards.
Organisation of risk management
It is important for NS that the risk management system operates properly. To ensure permanent integral management of risks, risk management must move along with internal and external developments. In 2019, NS focused on improving the risk management process by quantifying the risks and incorporating them explicitly into the planning schedules and analyses.
NS uses probabilistic planning schedules and analyses to present a realistic picture of the future impact of uncertainties and risks, so as to gain better insight into the reliability of project-related plans, policy choices and risk budgets. This helps us to make better decisions. This approach was applied in several business units over the course of 2019, and will be rolled out more widely within NS in the year ahead. In addition, we worked on embedding Business Continuity Management in the organisation, and established a collaboration with ProRail for that purpose.
Risk governance at NS has been set up using the ‘three lines of defence’ model. The guiding principle in this model is that the first line of defence (the operational business) is responsible for the management of the risks by embedding this properly in processes and clearly assigning responsibilities. The second line of defence, which involves the NS Risk department, provides support and advice and makes sure that line managers are fulfilling their responsibilities as intended. The third line of defence, involving the Internal Audit department, carries out independent checks to make sure that the risk management and internal control system is working properly.
In 2019, NS Risk continued its collaboration with various departments within the risk management function, including Integrity & Compliance, Cybersecurity and Legal. We jointly assess proposed policies and new investments, and advise the Executive Board. Additionally, we collaborate on a range of NS-wide risk analyses, taking stock of, prioritising and assigning responsibilities for risks in, for example, the cybersecurity domain.
In order to be demonstrably in control of key processes and systems, in 2019 NS continued work on the Internal Control Framework: a uniform system for documenting and monitoring processes/systems, the associated risks, and control measures and how they work.
The Risk department aims to set up integrated risk management together with specialists from the operational business, and to perform systematic risk assessments (by weighing risks up against the risk appetite). Integrated risk management consists of three pillars:
actively supporting and supervising the management's efforts to take stock of and mitigate risks, for example through risk assessments;
weighing up the risks during decision-making;
analysing incidents that arose from deficiencies in risk management to learn from the mistakes made.
This ensures stronger control as it will help NS to detect potential issues or opportunities at an early stage and make targeted and proactive changes in response. We determine the degree of support by the second line of defence in these processes on the basis of a risk assessment that is made beforehand.
Recording and reporting
Identified risks, including the risk owners, have been recorded in risk registers and assigned quantitative scores using a single, uniform risk matrix. Once a quarter, NS reports the main risks for each business unit and discusses them in the Executive Board as part of the planning and control cycle. We immediately report any risks that fall outside our risk appetite and escalate them where necessary. The Executive Board reports on and renders account for the risk management and internal control system to the Supervisory Board after discussing it in the Risk and Audit Committee.
Risk management is an issue that concerns us all, as it is part and parcel of our daily operations. Awareness of the work of the Risk team is growing within NS; colleagues from all departments and units know where to find the team, supported where necessary by NS Risk.
NS Risk provides risk management training programmes to enable colleagues to tackle risk management issues themselves. A syllabus with instructions for staff on how to carry out the risk management process themselves will become available in 2020.
NS Risk is an independent unit that is also an integral part of NS. It informs, challenges, takes stands and provides both solicited and unsolicited advice based on its knowledge of NS and without judging. The department helps come up with solutions that do justice to the various interests and help NS implement its strategy.