Organisational culture, integrity and compliance
NS aspires to be an organisation characterised by an open and safe corporate culture where professional integrity is a matter of course. We attach great importance to result-oriented working practices that are consistent with the norms and values to which we have committed ourselves. We approach risks and issues surrounding integrity and compliance in a controlled and balanced manner.
The conduct of NS’s employees and the choices they make in their work are crucial to the integrity of the company. We promote a culture of openness and accountability. The NS Code of Conduct serves as the basis for professional behaviour in work situations, for all colleagues. We updated the Code of Conduct in 2022, and added a policy on the use of social media. This is intended to help NS employees make appropriate decisions and conscious choices in a wide range of potentially complex situations. The Code of Conduct is available for all employees via the Intranet.
The Code of Conduct also forms a basis for handling integrity reports and investigations. The code is consistent with the relevant OECD guidelines and with the Dutch Corporate Governance Code. This means that there are also safeguards within NS for the protection of human rights. The code serves as the basis for policies on specific themes, such as conflicts of interests, competition, information protection, the fight against corruption and fraud. In addition, NS pursues a nationwide programme to improve existing social behaviours on the shop floor, which is intended to fight harassment and racism, among other things. The NS Code of Conduct serves as the guiding document for this programme. Additionally, NS has a planning and control system in place that helps to make and keep integrity and compliance risks and issues within the organisation visible and manageable.
Governance and integrity
The operational departments within NS are responsible for ensuring ethical business practices. Our Integrity department supports efforts to encourage desired behaviour, regulatory compliance and observance of the NS Code of Conduct. It develops policies, provides information on those policies, investigates integrity violation reports, analyses trends, offers solicited and unsolicited advice and promotes integrity awareness within NS. Issues are submitted to confidential advisers within NS, if and to the extent permitted by confidentiality rules. To escalate integrity issues, the Integrity department also has a direct line of communication with the chair of the Executive Board and the Supervisory Board.
NS has an Integrity Committee, whose members include the Directors of HR, Legal, Security and Risk. This committee assesses new integrity policies and provides advice on integrity issues.
Advice and information for employees
On the Integrity Portal on the intranet, employees can find a wealth of information about integrity and NS's policy in this regard. In addition, employees are welcome to submit concrete issues and dilemmas to the Integrity department. They can ask questions by email or by telephone. The Integrity department advises employees about possible solutions and measures. In 2022, the department answered 297 questions.
Integrity Desk and Regulations for Reporting Integrity Issues
The Regulations for Reporting Integrity Issues (including whistle-blower reporting) guarantee that employees can report actual or suspected irregularities, that NS deals with these reports carefully and confidentially and that employees will not experience any adverse consequences as a result of having reported an incident. Employees have several options for (anonymously) reporting integrity issues or abuses: via the Integrity Desk on the internal network, via a special app, by email, by telephone or in a one-on-one conversation. An integrity violation report may result in a recommendation to the person who reported the issue, and to the managers involved, on any subsequent steps or measures. It may also be decided to ask NS Security to conduct an independent investigation into the cause of the incident, with NS taking measures based on the outcomes. In 2022, a total of 82 integrity violation reports were received (2021: 75). Of all finalised reports in 2022, 17% were found to be wholly or partially founded.
Employees may seek support from one of NS's confidential advisers if they want to report an integrity violation (or another issue). This possibility was used 163 times in 2022 (2021: 118). The increase can be attributed to a special communication effort that helped to increase awareness of the possibility to consult a confidential adviser, and to bring attention in society at large to undesirable behaviour. External stakeholders can report issues to NS via a special desk.
We are aware that as a state participation we serve as an example to other players, must be transparent on our regulatory compliance and act with integrity at all times. We are keen to ensure, therefore, that we comply with all the applicable laws and regulations and abide by the standards and values in force. In these efforts, NS is bound to an extensive compliance framework that governs compliance with external laws and regulations such as the Railways Act, the Competition Act, the main rail network franchise, NS's obligations under the CLA, the Working Hours Act and the Working Conditions Act. In addition, we apply internal policy frameworks such as the NS Code of Conduct, the procurement regulations and the train drivers' manual.
NS has a compliance management structure in place to ensure that we keep abreast of this multitude of rules, standards and norms and assume our social responsibility. Primary responsibility for compliant working practices rests with the NS business units. They can seek advice from various compliance knowledge centres, such as NS Legal and Quality, Health, Safety & Environment. The Risk & Compliance department supervises this arrangement and reports on its findings to the Executive Board and the Supervisory Board.
These requirements have been translated into performance indicators and norms regarding aspects such as competition, tendering procedures, privacy issues and safety. We also have a dashboard for NS as a whole, covering the key risks and issues regarding compliance (such as critical data leaks or undesirable behaviour) plus an overview of all relevant KPIs. In addition, we provide training courses in all parts of the company to keep our employees’ knowledge of laws and regulations up to date.
For NS, the need to handle our passengers' and employees’ personal data carefully is self-evident. ‘Transparent’, ‘Safe with NS’, ‘Choice and control’ and ‘Innovative and open’ are the principles governing our work. To safeguard compliance with privacy laws, NS has set up a privacy structure and privacy governance system and maintains a permanent focus on privacy training and awareness, for example through (compulsory) e-learning programmes, training courses and newsletters. Last year we once again appointed ‘privacy champions’: employees who, in addition to their regular work, answer questions and serve as the eyes and ears of the Privacy Office within their respective business units. Together with the Data Protection Officer and the Privacy Officers, these privacy champions make up the privacy function within NS. This enables us to maintain short lines of communication between the business units and the privacy experts and to create an extensive network for privacy-related knowledge within NS as a whole. In December 2022, there were 92 active privacy champions within NS (2021: 80).
‘My NS’ incident
Despite NS's careful handling of customer and employee data, incidents cannot always be prevented. One serious incident in 2022 was a ‘credential stuffing’ attack on customers’ My NS accounts. The accounts of these customers were hacked using passwords obtained from outside NS. We informed the customers concerned and reset their passwords. In cases such as these, NS always notifies the supervisory authority and the person concerned. In all cases, data leaks also serve as input for process improvements.
Privacy by design
Effective and careful data processing starts with privacy by design. This means that we recognise the need to protect the privacy of data subjects right from the initial design phase of a product or service. In addition, we conduct frequent data protection impact assessments to identify any risks for the individuals concerned and take measures to control those risks.