Non-compliance

Description

The risk that NS fails to comply with legislation and regulations, such as the General Data Protection Regulation, or that NS violates internal or external norms and values, which may cause disadvantages for passengers, staff or other stakeholders, reputation damage, financial losses or sanctions from supervisory authorities.

Explanation

NS aims for controlled business operations, in which incidents are rare occurrences and legislation and regulations are complied with. To reduce the number of incidents, a number of conditions have to be met. These include a safe environment where incidents can be discussed in an open manner, which allows a better understanding of the background to incidents. By learning from reports and situations, NS can generate insights and take measures to prevent recurrences.

New and changed legislation and regulations must be translated into concrete policy to make sure that they can be implemented in the organisation with supporting processes and systems.

Measures

The Integrity & Compliance department has been a separate entity reporting to the Chief Governance, Risk & Compliance Officer since 1 January 2017. This department was expanded further in 2017. An internal communication portal has been set up for topics associated with integrity and compliance. The information in this Integrity Portal is regularly amended and supplemented in response to the latest developments. In 2017, the new NS scheme for reporting integrity issues (including ‘whistle-blower’ reports) came into effect. This scheme replaces the NS procedure for whistle-blowers. The NS Integrity Desk ensures that irregularities or suspicions of irregularities can be reported safely.
 To promote consciously ethical conduct, a culture programme has been started with the aim of having lasting safeguards for an ethical corporate culture and permanent attention for conduct and integrity. This programme will be continued in 2018.

Additionally, an understanding of the applicable and changing legislation and regulations is constantly being obtained in cooperation with NS Legal so that NS can respond in good time and deal with consequences for its business operations through policy, procedures and administrative processes. A great deal of attention has been paid to training and knowledge transfer, for example in the form of e-learning and team sessions. Delays or shortcomings on the part of NS in compliance with legislation and regulations may also result in reprimands, fines, court cases, claims and reputational damage. A lot of time and energy is currently invested in translating the General Data Protection Regulation, which will be effective as of May 2018, into concrete policy and knowledge transfer within the organisation to make sure that the proper preparatory measures are taken, with the aim of having NS compliant with the General Data Protection Regulation on time.

Risk control trend

The structure and the strategy of the NS organisation have been incorporated in the business operations, and are supported by measures. Enhancing a culture of openness and approachability is a less straightforward change to make. Progress has been made in both areas (structure and culture) in 2017, and additional steps have been planned for 2018. This has improved our risk control.

Residual risk

Medium. The current risk profile does not yet entirely match the desired risk profile.