Organisation of risk management

Risk management is all about deliberately tackling uncertainties that could impede the achievement of the strategic objectives. To provide a picture of risk management at NS, this chapter looks at risk appetite, the organisation of risk management and the key risks.

Risk appetite and risk tolerance

The risk appetite and the risk management we are aiming for in six risk themes at NS can be found in what are called the ‘risk appetite statements’. Virtually all the risk themes are linked to specific performance indicators, some of them with quantitative bandwidths. The risk appetite in each theme is evaluated annually by the Executive Board and adjusted if necessary. In 2018, the Executive Board reduced the number of themes from eight to six. The ‘Growth’ and ‘Staff’ themes have been incorporated in the remaining themes as the effects of the risks in those two themes essentially fall under other themes. The Executive Board redefined its risk appetite for the six themes:


Risk appetite

Explanation, NS accepts



Zero or minimal deviations from safety objectives



Zero or minimal deviations from integrity and compliance objectives



Zero or minimal deviations from operational objectives



Zero or minimal deviations from financial objectives



Zero or minimal deviations from reputation objectives



Wider deviations from sustainability objectives

Compared with 2017, the Executive Board has changed its risk appetite in the category ‘Finances’ from neutral to risk-averse. That underlines the focus required on achieving sufficient returns. Given the investment agenda for the years ahead and the requirement for NS to finance this investment independently and by its own efforts, it can permit itself fewer risks. NS must achieve a result that will enable it to continue to obtain financing through the market, which necessitates a rating of at least A+. In 2019, we will also accept only minimal deviations from our financial objectives and we will remain risk-averse. The risk appetite is being made more explicit in line with the NS Risk Framework. Whereas we were using stress tests in 2017, in 2018 we developed the risk appetite reporting system with regular assessments and reports showing whether the NS-wide risk profile is still in line with the risk appetite. These reports show the risk profile for each theme in comparison with the defined risk appetite and the key (group-wide) risks.

Organisation of risk management

It is important for NS that the risk management system operates properly. To ensure permanent integral management of risks, risk management must move along with internal and external developments. We therefore focused on developments such as the internal control framework, business continuity management and quantifying risks. Other measures that we use to manage our risks include the planning and control cycle, the Risk Framework and various investigations into incidents. They will be mentioned in various parts of this report. NS’s philosophy regarding the support and assurance that risks are identified and managed in an integral approach has also been worked out in detail and translated into specific, measurable objectives.


Risk governance at NS has been set up using the ‘three lines of defence’ model. The guiding principle in this model is that the first line of defence (the operational business) is responsible for the management of the risks by embedding this properly in processes with clear responsibilities. The second line of defence (which involves the NS Risk department) provides support and advice and makes sure that line managers are fulfilling their responsibilities as intended. The third line of defence, involving the Internal Audit department, carries out independent checks to make sure that the system of risk management and internal controls is indeed working properly.

The collaboration that was started in 2017 between the Risk, Integrity & Compliance, Legal, Audit, Security and Information Risk Management departments was continued in 2018. This enhances the overall risk management, for example because year plans are aligned, which ensures more coherence in the planned activities from the perspective of the business side.

In 2018, NS worked further on the Internal Control Framework so that it could be demonstrably in control of key processes and systems. This is a uniform framework for documenting and monitoring processes and systems, risks, control measures and how they function. To this end, NS initiated and executed pilots for operational and financial reporting.

Risk management system

NS has implemented a system for the identification and control of risks, in which all levels of the organisation in the first line of defence are actively asked to focus on risk management. The Risk department aims to set up integral risk management together with other specialised risk departments and the operational business, and to make risk assessments systematically (weighing risks up against the risk appetite). The system consists of four components:

  • Regular consideration of risks by the management in the form of risk assessments;

  • Active monitoring to ensure risks are being managed properly within projects and programmes;

  • Weighing up the risks during decision-making;

  • Analysing incidents that arose from deficiencies in risk management to learn from the mistakes made.

This ensures stronger control and will help NS to detect potential bottlenecks or opportunities at an early stage and make targeted and proactive changes in response. The degree of support by the second line of defence in these processes is determined on the basis of a risk assessment that is made beforehand.

Recording and reporting

Identified risks and the risk owners are recorded in risk registers. The various risk matrices and risk acceptance criteria that were used in the past in the different NS business units have now been harmonised and incorporated in a single uniform risk matrix. We expect this to lead to a better shared understanding of risk situations and consequently broader support for risk decisions. In 2018, NS made significant progress in several major projects on analysing and quantifying planning and budget risks where possible. This has led to better insights into project schedules and finances. We will be rolling this out further in 2019. We are also considering whether other areas could also benefit from quantification. Once a quarter, the main risks for each business unit are reported and discussed in the Executive Board as part of the planning and control cycle. The NS Risk department records the main risks in an Enterprise Risk Management system, which helps ensure a more uniform approach to risk management and a comprehensive overview of the risks. Risks that exceed the risk appetite thresholds are reported immediately and the situation is escalated, if necessary. The Executive Board reports on and renders an account of the risk management and internal control system to the Supervisory Board after discussing this in the Risk and Audit Committee.

Corporate culture

Risk management needs to become part of our DNA, but without paralysing the business operations. Staff are becoming ever more aware of risk, in part because of the activities and training organised by the NS Risk department. As a result, staff are openly discussing risks and incidents with the aim of further improving control. The NS Risk department is an independent unit that is also an integral part of NS. It informs, challenges, takes stands and provides both solicited and unsolicited advice based on its knowledge of our company and without judging. The department helps come up with solutions that do justice to the various interests and help NS implement its strategy.

Statement by the Executive Board

The Executive Board believes that the systems of risk management and internal control concerning the financial reporting risks in the year under review functioned satisfactorily and give a reasonable degree of certainty that the financial reports do not contain any material misstatements. The report therefore gives sufficient insight into the functioning of the said systems. The Executive Board states that as far as it is aware:

  • the financial statements give a true and fair view of the assets, liabilities, financial position and profits of NS and the companies included in the consolidation as a whole;

  • the annual report gives a true and fair view of the situation on the balance-sheet date and the course of business during the financial year;

  • given the current state of affairs, the preparation of the financial reports on a going-concern basis is justified;

  • the annual report specifies the material risks and uncertainties that are relevant to expectations about the company’s continuity for a period of twelve months after the compilation of the report.