Risk management is the deliberate handling of uncertainties that could have a negative effect on achieving the strategic objectives. The following topics are dealt with in order to provide a picture of risk management at NS in this chapter: the risk appetite, the current risk profile, the organisation of risk management and the key risks.

Risk appetite and risk tolerance

The risk appetite and the risk management we are aiming for in eight risk themes at NS can be found in what are called the ‘risk appetite statements’. Virtually all the risk themes are linked to specific performance indicators, some of them with quantitative bandwidths. Each risk appetite theme is evaluated annually by the Executive Board and adjusted if necessary. NS's risk appetite remained unchanged in 2017:

In 2017, we used stress testing to compare NS's risk profile against the risk appetite. Extreme but plausible scenarios were chosen for the stress tests. For the scenarios, the impact of risks on the objectives of NS is determined based on various financial and operational models in order to reveal any potential vulnerabilities. They make clear when action is required to give a large degree of certainty that the business objectives will be achieved.

Risk profile

NS has agreed ambitious targets with the Ministry of Infrastructure and Water Management for the KPIs for the domestic rail network. Some elements of these objectives have a high risk profile. In addition, when carrying out services, NS is exposed every day to many internal and external factors that potentially affect the operational performance, reputation and financial position of NS.

In addition to the known and existing risks, NS is also actively trying to identify new emerging risks that may threaten the achievement of the business objectives. Insights into this have improved in 2017, when NS actively entered into a dialogue with management teams, the Executive Board, supervisory authorities and external parties involved about developments in the environment and their effect on NS. Ten emerging risks have been identified by the Executive Board, such as extreme disruption caused by specific vulnerabilities, demography and urbanisation, that are part of the risk management process.

Organisation of risk management

It is important for NS that the risk management system operates properly. To ensure permanent integral management of risks, risk management must move along with internal and external developments. Additionally, there are various other measures that we use to manage risks, such as the planning and control cycle, the risk framework, the business control framework and investigations of various incidents. They will be dealt with in various parts of this report.

Governance

The organisation of NS’s risk governance is based on the ‘three lines of defence’ model. The guiding principle in this model is that the first line of defence (the operational business) is responsible for the management of the risks by embedding this properly in processes with clear responsibilities. The second line of defence (which involves the Risk department) provides support and advice and makes sure that line managers are fulfilling their responsibilities as intended. The third line of defence, involving the Internal Audit department, carries out independent checks to make sure that the system of risk management and internal controls is indeed working properly.

In 2017 we improved the cooperation between the Risk, Integrity & Compliance, Legal and Audit departments. This enhances the overall risk management because it ensures greater cohesion in the planned activities from the perspective of the business side.

Furthermore, a number of points for improvement regarding risk management and control systems were identified within NS in 2017: they involve the governance, reporting and monitoring. Cooperation within the risk management work field was improved in 2017 and the Risk and Audit Committee appointed. In addition, the risk policy was formalised and various parts of the Risk Framework have been translated into practical tools, as a result of which risks can be identified more easily and in a uniform way, both in the regular processes and within projects. Although internal risk management systems and control systems were already being used, the basic assumptions are not always the same. The basic assumptions were determined in 2017, and further steps will be taken in 2018 to ensure all main processes have a control framework that meets these basic assumptions.

Risk management system

NS has implemented a system for identifying and controlling risks, in which all levels of the organisation in the first line of defence are actively asked to focus on risk management. The Risk department aims to set up integral risk management together with specialised risk departments and the operational business, and to make risk assessments systematically (weighing risks up against the risk appetite). It consists of four cornerstones:

• Regular consideration of risks by the management in the form of risk assessments

• Active monitoring of proper risk management within projects and programmes

• Weighing up risks in decision-making

• Analysing incidents to learn from mistakes made

This ensures stronger control and will help NS to detect potential bottlenecks or opportunities at an early stage and make targeted and proactive changes in response. The degree of support by the second line of defence in these processes is determined based on a risk assessment beforehand and the position within the company.

Recording and reporting

Identified risks and the risk owners are recorded in risk registers. Important steps were taken in 2017 to quantify risks where possible; this will be rolled out further in 2018. Once a quarter, the main risks for each business unit are reported and discussed in the Executive Board as part of the planning and control cycle. A recently selected Enterprise Risk Management system supports the recording and reporting of risks. In 2018, this will ensure a more uniform procedure for risk management. Risks that exceed the tolerance thresholds are reported immediately and escalated if necessary. The Executive Board reports on and renders an account of the risk management system and internal control to the Supervisory Board after discussing this in the Risk and Audit Committee.

Culture

Risk management must become part of our DNA, but without hindering the business operations. Staff are becoming ever more aware of risk, in part because of the activities and training organised by the Risk department. The Risk department is an integral but independent NS unit. It informs, challenges, takes stands and provides advice (both on request and unsolicited) based on its knowledge of our company, without judging. The department helps come up with solutions that do justice to the various interests and help NS implement its strategy.

Statement by the Executive Board

The Executive Board believes that the risk management and internal control systems relating to the financial reporting risks in the financial year functioned satisfactorily and give a reasonable degree of assurance that the financial reports do not contain any material misstatements.The report thus gives a sufficiently clear picture of how the above-mentioned systems work. The Executive Board states that as far as it is aware:

• the financial statements give a true and fair view of the assets, liabilities, financial position and profits of NS and the companies included in the consolidation as a whole;

• the annual report gives a true and fair view of the situation on the balance sheet date and the course of business during the financial year;

• it is justifiable given the current state of affairs that the financial reporting has been drawn up on a ‘going concern’ basis; and

• the materially relevant risks and uncertainties stated in the annual report are appropriate for the expected continuity of the company for a period of twelve months after the report was drawn up.