NS wishes to keep the Netherlands accessible in a sustainable manner. Our operations involve a number of uncertainties. Risk management is all about targeting uncertainties that could impede the achievement of the strategic objectives.
Organisation of risk management
To ensure permanent integral management of risks, risk management must move along with internal and external developments. We use probabilistic planning schedules and analyses to present a realistic picture of the future impact of uncertainties and risks, so as to gain better insight into the reliability of project-related plans, policy choices and risk budgets. This supports the decision-making process.
Recording and reporting
Identified risks, including the risk owners, have been recorded in risk registers and are assigned quantitative scores using a single, uniform risk matrix. Every three months, NS reports the main risks for each business unit; those reports are discussed in the Executive Board as part of the planning and control cycle. Any risks that fall outside our risk appetite are reported immediately and escalated where necessary. The Executive Board reports on and renders account for the risk management and internal control system to the Supervisory Board after discussing it in the Risk and Audit Committee.
Risk appetite and risk tolerance
The risk appetite and risk management we are aiming for in six risk themes at NS can be found in our ‘risk appetite statements’. Each risk theme is linked to specific performance indicators with a quantitative bandwidth. Every year, the Executive Board evaluates and, if necessary, adjusts the risk appetite for each theme. The table below presents the current risk appetite for each risk theme plus the most important group risks. We apply a uniform method for determining the risk appetite for all of these themes, which also covers the subsidiaries Abellio UK and Abellio Germany. The risk appetite of NS in 2021 has not changed compared with 2020.
The individual risks have been included in a risk matrix. The more to the right the risk is positioned (from A to F), the more likely it is to materialise. The higher its position in the matrix (from 1 to 7), the greater its impact on NS's objectives should the risk materialise. The colours show how each risk relates to NS's risk appetite and at which level within NS any residual risk should be accepted if no further mitigating measures are or can be taken. Click on a risk for a pop-up explanation.
The more to the right the risk is positioned (from A to F), the more likely it is to materialise. The higher its position in the matrix (from 1 to 7), the greater its impact on NS's objectives should the risk materialise. The colours show how each risk relates to NS's risk appetite and at which level within NS any residual risk should be accepted if no further mitigating measures are or can be taken. We also provide explanatory notes to individual risks in the last table of this chapter.
- 5Foreign operations
- 7IT (including cyber)
- 9Psychological absence
The risk that NS in the Netherlands does not take adequate measures to prevent safety incidents or does not sufficiently fulfil its duty of care.
NS works on the basis of a maturity model (Hearts & Minds) to control safety risks. The key risks have been identified for each domain, owners and advisers have been assigned. The risks are managed proactively as far as possible.
Rail travel is one of the safest forms of mobility. NS seeks to continue to improve safety by means of the control of the safety risks and continuous improvement of safety performance. We have made great progress in all areas. In the area of cyber (see risk 7), more work is needed to reach the desired maturity and further manage the risks.
We implemented the technical and organisational measures in response to the major railway incidents (derailment and collision) in 2020 according to plan. Measures include adjusting the maintenance regime of trains and temporary speed restrictions when passing a number of unguarded level crossings.
In the field of security and social safety, NS has implemented organisational improvements and we are affiliated with the relevant government agencies. Terrorism situations are regularly practised. In addition, a programme to improve the monitoring of NS property has been initiated.
The risk that NS does not comply with legislation and regulations or exceeds applicable norms and values
The control of compliance was further strengthened in 2021, as part of a multi-year programme. In addition, compliance policy, monitoring and accountability were further expanded.
We also have a dashboard for NS as a whole, covering the key risks and issues regarding compliance plus an overview of all relevant KPIs.
In addition, we provide training courses in all parts of the company to keep our employees’ knowledge of legislation and regulations up-to-date.
NS has a nationwide programme to improve existing social behaviour on the shop floor. The NS Code of Conduct serves as the guiding document for this programme.
The risk of losing customers structurally and/or customers travelling less.
Revenue fell sharply in 2020 and 2021 as a result of COVID-19, and expectations for the coming years are also substantially lower, partly due to changed travel behaviour and more working from home. Ensuring that customers return is a key focus for our company and for the mobility issue facing the Netherlands. This is how we keep the Netherlands accessible.
Studies have taken place to understand changing travel behaviour, and we update passenger forecasts with greater regularity.
Such insights are used to:
Win back passengers with an offering that matches the new travel behaviour.
Attract new passengers by means of campaigns and improvements in the offering and services (e.g. increasing the supply of chain services, improvement of the App, new functionalities for business customers).
These insights are used whenever possible when making investments and any adjustments to services.
The risk that NS will not realise the savings required as a result of the COVID-19 crisis.
NS implementing a €1.4 billion savings plan for the period up to and including 2024; Agility is crucial. Implementation of these plans is coordinated with the employee participation bodies and trade unions, with some savings no longer being fully achieved (on time).
A dedicated team has been set up to drive the transformation and develop savings initiatives for direct and indirect employees. In this, we work together with social partners and employees. Investment plans are adjusted and put on hold if possible. We periodically reassess forecasts and monitor progress.
5. Foreign operations
The risk of NS making a loss on its investments abroad (Abellio).
In the United Kingdom, Abellio has signed two new contracts, whereby the risks lie more with the franchising authority. Abellio Germany is involved in insolvency proceedings and loss-making contracts in Germany are being restructured or terminated. There is an inherent risk of claims and litigation in insolvency proceedings.
In Germany, the restructuring processes in North-Rhine Westphalia and Baden-Württemberg have come to an end, but the risk of claims and lengthy proceedings remains. The other franchises will be continued and, insofar as they are loss-making, modified.
Franchises will be terminated in the United Kingdom, which involves financial risks upon closure.
The risk that the implementation of the timetable and the realisation of our ambitions (high frequency and speed increase) will be negatively affected by infrastructure bottlenecks.
In 2021, infrastructure bottlenecks have emerged that negatively affect the operation of the train services and the realisation of our domestic and international ambitions.
We discuss these matters within the Medium Term process together with ProRail and the Ministry of Infrastructure and Water Management.
7. IT (including cyber)
The risk of IT systems failing to meet operational and security requirements.
Measures are in place to increase control, but threats including cyber risks (including on the train) are now increasing as the threat landscape continues to grow.
The most important critical systems in train logistics control have been replaced. We will largely replace the major operational legacy systems, including the travel information system and Data Warehouse systems, by mid-2022 and 2023. Business continuity agreements with suppliers have been tightened.
In order to mitigate the IT capacity shortage, external staff will be replaced by in-house staff where possible and junior staff will be trained internally to a higher level of knowledge. The transformation plan is being implemented, among other things, through Agile working with extra attention being paid to retaining technical talent.
Based on a roadmap, cybersecurity will be further strengthened, both in terms of process by means of governance and policy, and substantively in the case of IT and operational technology (OT) on and around the trains. This is becoming increasingly important given the growing cyber threat and the designation of NS as a provider of an essential service.
Cyber risk analyses were conducted for example on the operational fleet and ransomware vulnerability.
NS participated in the creation of the ‘roadmap Vitaal’, which was drawn up under the leadership of the Ministry of Infrastructure and Water Management, and NS drew up an implementation plan for the Networks and Information Systems (Security) Act (WBNI). This will further shape the protection of vital mobility processes.
Awareness campaign concerning secure working from home and extra alertness internal IT security monitoring.
A phishing campaign has started and will continue for years to come.
Every NS employee has been given a secure laptop that can be used to work from home.
Access management has been tightened.
As a result of incidents, improvement actions have been taken on, for example, the website www.ns.nl.
The risk of NS failing to achieve sufficient change and innovation capability.
During the crisis, we kept the Netherlands moving and adapted to the new circumstances, and thus demonstrated our agility and flexibility. Because of the financial situation and forecasts of lower passenger numbers, we are structurally working on a smaller and more agile NS.
Supported by a Transformation Team, NS is working in a structured manner on cost savings, behavioural change and improved result-oriented strategies so that we can work together more decisively and respond more quickly to changes. We also promote advancement and retraining so that people remain employable and flexible in the changing context.
9. Psychological absence
The risk of psychosocial complaints due to work stress and COVID-19.
The transformation and the (governmental) measures resulting from the COVID-19 crisis have a negative impact on employees.
Regular measurements among employees to be able to take targeted measures.
Measures for safe and healthy home working (physical and mental).
Development and support of managers.
Stimulating movement and physical fitness.
Accessible supply of preventive coaching.
Targeted approach per target group to improve labour potential.
The risk of staff shortages due to tight labour market.
High staff outflow and slightly rising trend in absenteeism, combined with an increasingly tight labour market.
Strategic personnel plan per position.
Labour market campaign.
Focus on retention.
Scaling up training capacity.
Key changes in the risk profile compared with 2020
The table below presents the risk profile for NS's key risks in 2021 and the measures we have taken in response. We also describe the most significant changes.
Mixed risk profile
The risk profile shows a mixed development. Generally speaking, the profile is improving for the safety and compliance domains, where measures are becoming increasingly and visibly effective. The risks in the finance and operations domains remain high, however:
As regards finance in the Netherlands, uncertainty regarding passenger numbers remains high and turnover is under constant pressure due to changed passenger behaviour, such as the increasing tendency among employees to work from home. While the cost-saving measures are making progress, they risk being delayed.
As regards finance abroad (Abellio Germany), the restructuring processes in North Rhine-Westphalia and Baden-Württemberg have come to an end, but the risk of claims and lengthy proceedings remains. Franchises are also terminated in the United Kingdom, which involves financial risks upon closure.
As regards operations, the principal risks concern infrastructure, where the lack of funds (for investments and maintenance by ProRail) is becoming increasingly problematic.
Another important area of focus in 2021 was further adaptation to climate risks and mitigating cyber risks. Via the Taskforce on Climate-related Financial Disclosures (TCFD) we analysed the risks and opportunities for NS associated with climate change. These risks and opportunities are incorporated into the regular risk assessments.