Organisational culture, integrity and compliance
NS aspires to be an organisation characterised by an open and safe corporate culture where professional integrity is a matter of course. While we attach great importance to result-oriented working practices, they should be consistent with the norms and values to which we have committed ourselves. We have measured the maturity of integrity culture at NS since 2017. These measurements show that we pursue a controlled approach of risks and issues surrounding integrity and compliance. Integrity and compliance issues are a key consideration in all our decisions and management measures. Over the next few years, we intend to make further progress and develop into an organisation that tackles integrity issues proactively, thus preventing problems from arising.
Open and ethical culture
The conduct of NS’s employees and the choices they make in their work are crucial to the integrity of the company. We promote a culture of openness and accountability by adopting the Hearts and Minds method to stimulate professional integrity and provide for periodic measurements of the maturity level achieved. Additionally, NS has a planning and control system in place that helps to make and keep integrity and compliance risks and issues within the organisation visible and manageable.
NS also applies an updated Code of Conduct that helps employees make decisions and conscious choices in a range of possibly difficult situations, including the use of social media. Furthermore, the Code of Conduct forms a basis for handling integrity reports and investigations. The code is consistent with the relevant OECD guidelines and with the Dutch Corporate Governance Code. It serves as the basis for policies adopted for specific themes, such as conflicts of interests, competition, information protection, the fight against corruption and fraud. In addition, NS pursues a nationwide programme to improve existing social behaviours on the shop floor. The NS Code of Conduct serves as the guiding document for this programme.
Governance, integrity and compliance
The first line of defence is responsible for ethical business operations and regulatory compliance. It benefits from advice by various departments, including Legal, Risk, Finance, Procurement, HR, Security and Quality, Health, Safety & Environment. Our Integrity department supports efforts to encourage desired behaviour, regulatory compliance and observance of the NS Code of Conduct. The department develops policy, provides information on that policy, investigates integrity violation reports, provides solicited and unsolicited advice and promotes integrity awareness within NS. This task was moved to HR and NS Risk in 2021. Supervision of business risks in the area of integrity and compliance, and the associated reporting to the Executive Board, the Supervisory Board's Risk and Audit Committee and the organisation, were transferred to NS Risk in 2021 to ensure integrated reporting. Issues are submitted to confidential advisors within NS, if and to the extent permitted by confidentiality rules.
NS has an Integrity & Compliance Committee, whose members include the Directors of HR, Legal, Security and Risk. This committee assesses new integrity and compliance policies and provides advice on I&C-related issues and reports.
Advice and information for employees
On the Integrity Portal on the intranet, employees can find a wealth of information about integrity and compliance-related issues. For instance, the portal includes a current overview of NS's integrity and compliance policies. In addition, employees are free to submit concrete issues and dilemmas to the Integrity department. They can ask questions by email or by telephone. The Integrity department advises employees about possible solutions and measures. In 2021, the department answered 293 questions.
Integrity Desk and Regulations for Reporting Integrity Issues
The Regulations for Reporting Integrity Issues (including whistle-blower reporting) guarantee that employees can report actual or suspected irregularities, that NS deals with these reports carefully and confidentially and that employees will not experience any adverse consequences of having reported an incident. Employees have several options for (anonymously) reporting integrity issues or abuses: via the Integrity Desk on the internal network, via a special app, by email, by telephone or in a one-on-one conversation. An integrity violation report may result in a recommendation to the person who reported the issue and to the managers involved on any subsequent steps or measures. It may also be decided to ask NS Security to conduct an independent investigation into the cause of the incident, with NS taking measures based on the outcomes. A total of 75 integrity violation reports were received in 2021. This is an increase compared with the 66 reports received in 2020, but the figure for that year appears to have been a temporary low relative to previous years (2019: 96). Of all finalised reports in 2021, 28% were found to be wholly or partially founded.
Employees may seek support from one of NS's confidential advisors if they want to report an integrity violation (or another issue). In 2021, they did so on 118 occasions (2020: 80). This increase is attributable to the higher number of questions on workplace conflicts resulting from the transformation and the associated reorganisation. External stakeholders can report issues to NS via a special desk.
We are aware that as a state participation we serve as an example to other players, must be transparent on our regulatory compliance and act with integrity at all times. We are keen to ensure, therefore, that we comply with all the applicable laws and regulations and abide by the standards and values in force. In these efforts, NS is bound to an extensive compliance framework that governs compliance with external laws and regulations such as the Railways Act, the Competition Act, the main rail network franchise, NS's obligations under the CLA, the Working Hours Act and the Working Conditions Act. Over the past year, NS has taken additional measures to make sure that our employees’ (digital) home offices meet the requirements of the Working Conditions Act.
In addition, we apply internal policy frameworks such as the NS Code of Conduct, the procurement regulations and the train drivers' manual. NS has a compliance management structure in place to ensure that we keep abreast of this multitude of rules, standards and norms and are able to bring our social responsibility into practice. These requirements have been translated into performance indicators and norms regarding aspects such as competition, tendering procedures, privacy issues and safety. We also have a dashboard for NS as a whole, covering the key risks and issues regarding compliance plus an overview of all relevant KPIs. In addition, we provide training courses in all parts of the company to keep our employees’ knowledge of laws and regulations up to date.
The need to handle our passengers' and employees’ personal data carefully is self-evident. Our approach is based on four principles: ‘Transparent’, ‘Safe with NS’, ‘Choice and control’ and ‘Innovative and open’. To safeguard compliance with privacy laws, NS has set up a privacy structure and privacy governance system and maintains a permanent focus on privacy training and awareness, for example through (compulsory) e-learning programmes, training courses and newsletters. We have appointed ‘privacy champions’: employees who, in addition to their regular work, answer questions and serve as the eyes and ears of the Privacy Office within their respective business units. Together with the Data Protection Officer and the Privacy Officers, these privacy champions make up the privacy function within NS. This enables us to maintain short lines of communication between the business units and the privacy experts and to create an extensive network for privacy-related knowledge within NS as a whole.
‘My NS’ incident
Despite NS's careful handling of customer and employee data, incidents cannot be ruled out. One serious incident in 2021 was a cyberattack on customers’ My NS accounts. The accounts of these customers were hacked using passwords obtained from outside NS. We informed the customers concerned and reset their passwords. In cases such as these, NS always notifies the supervisory authority and the person concerned. In all cases, data leaks also serve as input for process improvements.
Privacy by design
Effective and careful data processing starts with privacy by design. NS integrates measures to protect the privacy of individuals in the very design of a product or service. In addition, we conduct frequent data protection impact assessments to identify any risks for the individuals concerned and take measures to control those risks.