Content Subject

IT reliability

Description

The risk that progress in the outside world and delays in the execution of the migration strategy may lead to a shortage in the required level of knowledge and capacity, as a result of which not all IT systems meet the operational requirements or IT security requirements. The consequence of this is that NS fails to meets its strategic ambitions and cannot guarantee the continuity of its service.

Explanation

Reliable IT systems are needed for running our timetable and delivering sufficient service to our customers. IT is an increasingly important and critical factor in the management of NS’s operations, in particular in the provision of information for our passengers, and the control and adjustment of the timetable. There are three cornerstones that are key in facilitating: a stable, efficient and scalable IT infrastructure, sufficient and qualified staff, and sufficiently controllable systems in use. There are currently risks for each of them. Legacy systems are a matter of concern for a stable, efficient and scalable IT infrastructure. In an improving labour market, recruiting and retaining the right staff is increasingly a risk. The controllability is negatively affected by strong dependence on external suppliers, but also by developments in the IT sector which increasingly require inherently less controllable organisational forms such as cloud-based applications.

Measures

Outdated business applications will be replaced, if necessary. We have set up separate programmes for highly critical systems for this. We make conscious choices within the IT portfolio in this to make sure they fit in with the scarce resources. For the recruitment of staff, NS works intensively with training institutions and suppliers of temporary staff. Centralisation is used with the aim of creating a controllable IT environment.

Risk control trend

IT support when complying with increasing legislation and regulations (e.g. privacy) and increasing the defences against cybercrime risks continue to require attention when building new systems and modifying existing ones. Besides the recruitment of permanent staff, it is becoming more and more difficult to recruit temporary staff too. Further reductions in financial and staffing resources may cause delays in improvements. The overall level of control is the same.

Residual risk

Medium. The current risk profile does not yet fully match the desired risk profile.