As part of the planning and control cycle, the Executive Board has determined the principal group risks based in part on the risks that have been identified within the business units. The Board has looked at how these risks affect the achievement of the strategic objectives and the materially relevant themes. The group risks will be discussed in detail below, as will changes in the risk profile with respect to 2016. For the financial risks, please refer to the ‘Financial risk management’ chapter in the financial statements.
Key changes in the risk profile compared with 2016
Two new risks have been added: the implementation of ERTMS, and legislation and regulations. The risk that the introduction of ERTMS will lead to a reduction in operational performance, or even unacceptable inconvenience to customers, has potentially major consequences for the performance of NS. Plus the risk that forthcoming major legislative changes, such as the General Data Protection Regulation, increase caused the risk that NS will not have changed all processes to meet legislation and regulations on time. The risk change programmes as reported in 2016 have become improvement capacity with respect to risk, because it is the capacity to change and the effect of change programmes on NS’s efficacy that are the determining factors rather than the number of programmes. In recent years, a number of programmes have been completed that were aimed at the smooth introduction of large amounts of new rolling stock. FLIRT trains were introduced without major problems, demonstrating sufficiently clearly that NS is able to manage this risk. Permanent attention is being paid to the availability of rolling stock to make sure that this risk will be controlled in the long run too.
Looking ahead to the company’s risks in de the future
In the list given below, the key company risks have been classified into the eight risk themes used within NS and their relationships are shown to the COSO risk areas. The table gives the key measures for each risk, shows the trend in how it is being controlled and compares the desired risk profile (blue bullet) against the current risk profile (grey bullet).