NS wishes to keep the Netherlands accessible in a sustainable manner. Our operations involve a number of uncertainties. Risk management is all about targeting uncertainties that could impede the achievement of the strategic objectives.
Organisation of risk management
To ensure permanent integral management of risks, risk management must move along with internal and external developments. We use planning schedules and analyses to present a realistic picture of the future impact of uncertainties and risks, so as to gain better insight into the reliability of project-related plans, policy choices and risk budgets. This supports our decision-making process.
Recording and reporting
We have recorded identified risks, including the risk owners, in risk registers and assign quantitative scores to those risks using a single, uniform risk matrix. Every three months, NS reports the main risks for each business unit; those reports are discussed in the Executive Board as part of the planning and control cycle. Any risks that fall outside our risk appetite are reported immediately and escalated where necessary. The Executive Board reports on and renders account for the risk management and internal control system to the Supervisory Board after discussing it in the Risk and Audit Committee.
Risk appetite and risk tolerance
The risk appetite and risk management we are aiming for in six risk themes at NS can be found in our ‘risk appetite statements’. Each risk theme is linked to specific performance indicators with a quantitative bandwidth. Every year, the Executive Board evaluates and, if necessary, adjusts the risk appetite for each theme. The table below presents the current risk appetite for each risk theme plus the most important group risks. NS adapted its risk appetite in 2022 in response to the impact of several factors, including the staff shortage. The shortages on the labour market, the unexpectedly high outflow and internal advancement of (in particular) main guards and the high sickness absence rate had a substantial impact on our operational performance over the past year. The staff shortages may prove persistent and could even increase, given the persistently tight labour market and our ageing operational workforce. This is why NS has become more risk averse in the field of operations. Specifically, this means that operational risks are now more likely to qualify as unacceptable in the risk matrix.
The individual risks have been included in a risk matrix. The more to the right the risk is positioned (from A to F), the more likely it is to materialise. The higher its position in the matrix (from 1 to 7), the greater its impact on NS's objectives should the risk materialise. The colours show how each risk relates to NS's risk appetite and at which level within NS any residual risk should be accepted if no further mitigating measures are or can be taken. Click on a risk for a pop-up explanation.
Main group risks: 1 - Staff shortages 2 - Revenue 3 - Costs 4 - Infrastructure 5 - Absenteeism due to psychological causes 6 - Cyber threat 7 - ICNG 8 - Non-compliance 9 - Safety 10 - Digitalisation
- 1Staff shortage
- 5Psychological absence
- 6Cyber threat
- 7ICNG delayed
1. Staff shortage
The risk that we do not have enough skilled and vital employees.
Greatly increased tight conditions on the labour market, higher outflow and transfer of employees, high absenteeism also due to increased work pressure. This risk occurred in 2022 and led to continuity problems.
Limit outflow through better retention (including later retirement, flexibility in rosters) and focus on employee experience and increased vitality.
Increase inflow through employer branding, proactive recruitment and further scaling up of training capacity.
More robust planning and timetables, with which shortages are better and more predictably accommodated.
In consultation with social partners to adjust deployment model, with measures in the short term (e.g. deployment of office staff) and long term.
The risk of disappointing revenue due to the scaling down of the timetable, the resurgence of the COVID-19 virus, and the insufficient ability to bind new passengers to us and to activate existing passengers to travel more.
Revenue in 2022 was still less than before the outbreak of COVID-19. We also expect substantially lower revenue in the coming years due to, among other things, more working from home, a decrease in purchasing power and the termination of the availability payment after 2022. The scaled-down timetable makes it difficult to achieve further growth.
We conduct continuous research in order to gain insight into changing travel behaviour and customer satisfaction. Passenger forecasts are therefore regularly updated. These insights are used, among other things, for:
activating our season ticket and business card holders to travel more often;
adjusting propositions to continue to meet the wishes of customers as much as possible;
targeted marketing and communication to bind new passengers to NS;
the targeted deployment of train (reinforcements) in order to prevent crowded trains.
The risk that the € 1.4 billion savings will not be realised or that cost increase.
The savings plan of € 1.4 billion up to and including 2024, which was drawn up in consultation with the social partners, is roughly according to plan. On the other hand, costs are increasing due to inflation with an impact on salaries, equipment, materials, parts and financing interest, while rail fares cannot be increased as much as the rate of inflation. The costs of the digitalisation process that NS is going through, as well as cyber security measures, are also rising.
Tight monitoring of savings initiatives.
Collective labour agreements made until 1 January 2024.
Energy costs are covered until 31 December 2024.
Negotiation with contracting authority about the terms and conditions in the franchise from 2025.
The risk that the implementation of the timetable and the realisation of our ambitions (high frequency and speed increase) will be negatively affected by infrastructure bottlenecks.
In 2022, infrastructure bottlenecks have emerged that negatively affect the operation of the train services and the realisation of our domestic and international ambitions. It is positive that the government is releasing € 4 billion for investments in the railways. Despite the fact that € 585 million is available within these investments for already known bottlenecks, NS considers this insufficient to remove all these bottlenecks (track stability, level crossings, energy).
We are discussing these matters within the Medium-Term process with ProRail and Ministry of Infrastructure and Water Management and NS is requesting explicit attention for the removal of future infrastructure bottlenecks.
Influence the planning of service disruptions to limit passenger inconvenience.
Supporting ProRail in monitoring the condition of the infrastructure.
Preparing alternative planning in the case of infrastructure failure, such as during last year’s severe winter weather.
NS takes a much more active role in some infrastructure files (such as Schiphol or Amsterdam).
Continuously shortening the logistics lead times so that the planning can be quickly adjusted in the event of long-term infrastructure bottlenecks, such as this year at Swifterband.
5. Psychological absence
The risk of psychosocial complaints due to work stress.
The workload increased sharply in 2022 due to structural staff shortages and persistently high sickness absence rates.
Set up policies and procedures properly.
Monitoring the follow-up of results and actions in response to MBO 2022 and NS-wide in-depth risk analyses (RI&Es).
Reporting on psychological absence with Arbo Unie to enable targeted (collective) actions.
6. Cyber threat
The risk of a cyber attack because NS does not meet the compliance or security requirements for IT or OT (= IT on and around the train).
NS has taken further control measures, but in the meantime the threat level is greater due to further (chain) digitalisation and cyber threats are increasing, partly due to the now hybrid war from Russia directed towards vital infrastructures.
Implementation of the NS Cyber Security Management System (CSMS) and ISO27001 certification on NS Business Card processes.
Increased attention to cyber-safe culture, partly based on phishing campaigns and NS-wide knowledge sessions.
Cyber roadmap with measures to intrinsically reduce the cyber vulnerability of NS, based on a secure-by-design set-up and architecture.
Further development of human and technological capacity for early detection and follow-up of cyber incidents.
7. ICNG delayed
The risk that further delay of ICNG leads to insufficient back-up rolling stock or even a period with insufficient rolling stock in operational service (after the outflow of Traxx locomotives).
We have not realised the ambition for the ICNG inflow in 2022 due to essential software updates, the length of the admission process, capacity and delivery problems due to COVID-19, the war in Ukraine and setbacks in production. NS has produced a new schedule, in which the passenger service with ICNG will start in Q2 2023. In this schedule, it remains feasible to complete the full inflow of ICNG between Amsterdam and Breda in 2023.
Maximum extension of the contracts for Traxx locomotives and the life of the ICM carriages (back-up rolling stock).
Maximum control of Alstom on timely delivery of ICNG within the framework of the functional requirements and quality.
Continuous consultation with IL&T about the optimal course of the admission procedure.
Intensive cooperation between NO Process Management and Programme ICNG to incorporate the latest forecasts regarding the delivery of ICNG on time in the rolling stock planning, in order to limit any impact on timetable steps in 2023 to 2025 as much as possible.
The risk that NS does not comply with legislation and regulations or that applicable standards and values are exceeded.
We further strengthened the control of compliance in 2022, as part of a multi-year programme. In addition, compliance policy, monitoring and accountability were further expanded.
In the area of undesirable behaviour, the improvement in 2022 will be limited.
An NS-wide integrated compliance vision has been established in 2022.
Regular reporting takes place through an NS-wide compliance dashboard with key risks, issues and relevant KPIs.
NS-wide training courses to keep employees’ knowledge of legislation and regulations up-to-date.
A national programme to improve behaviour on the shop floor based on the NS Code of Conduct.
The risk that NS does not take adequate measures to prevent safety incidents or does not sufficiently fulfil its duty of care.
The key risks have been updated for each domain by owners and advisers. We manage the risks more proactively with KPIs.
In the field of social safety, the visibility of NS in 2022 was sometimes insufficient.
Rail travel is one of the safest forms of mobility. NS seeks to continue improving safety by controlling risks and continuously improving performance. Considerable progress has been made in all areas.
In the field of social safety, we focus more specifically on the visibility of personnel in trains and at stations based on data-driven efforts. At a local level, NS works with government bodies, the police and agencies on specific measures. NS cannot solve some problems itself and is working with the ministries involved on a ‘10-point plan’.
Crowding at the stations continues to increase due to more events and more travellers at the weekends. NS is working on integrated process improvement with regard to events, with a specific focus on Bijlmer Arena station.
The risk that the customer relationship deteriorates and that agile logistics cannot improve because we do not realise digitalisation projects.
Insufficient availability of IT personnel and complexity of IT systems have a negative impact on the digitalisation acceleration.
The most important critical systems in train logistics control have been replaced. The large operational legacy systems, including the travel information system and Data Warehouse systems, are in transition for replacement.
Strategic plan for recruitment of IT personnel and strategic personnel planning. Internal data talent training programme ready.
Plan for a digital commercial strategy about, among other things, standardising digital distribution channels.
Development of effective target architecture.
Key changes in the risk profile compared with 2021
The risk profile saw a negative development in 2022, especially on the risk theme of Operations, where the shortage of staff had a considerable impact on our operational performance. The risks in connection with Safety and Finance remain high. We do however note an improvement on the theme of Compliance, where our measures are becoming increasingly effective.
Operations: The main risk is that the existing staff shortages persist or become even worse. The shortages are attributable to the structural staff shortages on the labour market, high exit and internal advancement rates among main guards, high sickness absence levels and our ageing operational workforce. The most visible effect of these staff shortages are their direct consequences for train services, but shortages also affect other job categories and business processes. This effect is strengthened by the risk of psychological sickness absence, caused by factors such as high work pressure and persistent COVID-19-related health issues. Another persistent risk is infrastructure, where - despite the announced government investments - quality and volume issues can potentially result in product development steps being postponed or cancelled altogether, or in increasing levels of operational vulnerability.
Finances: Revenue levels remain uncertain due to lower passenger number forecasts and changing travel behaviour following the COVID-19 lockdowns. Furthermore, cost-related risks increased in 2022 as a result of higher inflation rates and disrupted supply chains.
Safety: Rail travel remains one of the safest forms of mobility. However, rail travel is not immune to the increasing rudeness in social intercourse (personal safety) nor to the increasing risks in the cybersecurity domain.