NS aspires to be an organisation characterised by an open and safe corporate culture where professional integrity is a matter of course. While we attach great importance to result-oriented working practices, they should always be consistent with the norms and values to which we have committed ourselves. We have measured the maturity of integrity culture at NS since 2017. These measurements show that we pursue a controlled approach of risks and issues surrounding integrity and compliance. Integrity and compliance issues are a key consideration in all our decisions and management measures. Over the next few years, we intend to make further progress and develop into an organisation that tackles integrity issues proactively, thus preventing problems from arising.
Open and ethical culture
The conduct of NS’s employees in their day-to-day activities and the choices they make in their work are crucial to the integrity of the company. We promote a culture of openness and accountability by adopting the Hearts and Minds method, which stimulates professional integrity and provides for periodic measurements of the maturity level achieved. Additionally, NS has a planning and control system in place that helps to make and keep integrity and compliance risks and issues within the organisation visible and manageable.
NS applies an updated Code of Conduct that helps employees make decisions and conscious choices in a range of possibly difficult situations. The Code of Conduct also forms a basis for handling integrity reports and investigations. The code is consistent with the relevant OECD guidelines and with the Dutch Corporate Governance Code. It serves as the basis for policies adopted for specific themes, such as conflicts of interests, competition, information protection and fraud.
Integrity & Compliance governance
The first line of defence is responsible for ethical business operations and regulatory compliance. It benefits from advice by various departments, including Legal, Risk, Finance, Procurement, HR and Quality, Health, Safety & Environment. Our Integrity & Compliance (I&C) department focuses on encouraging desired behaviour, regulatory compliance and observance of the NS Code of Conduct. I&C develops policy, provides information on that policy, investigates integrity violation reports, provides solicited and unsolicited advice and promotes integrity awareness within NS. In addition, I&C monitors business risks surrounding integrity and compliance and reports on those risks to the Executive Board, the Supervisory Board's Risk and Audit Committee and the organisation. Issues are submitted to confidential advisors within NS, if and to the extent permitted by confidentiality rules.
Finally, NS has an Integrity Committee whose members include the directors of HR, I&C, Legal and Risk. This committee assesses new integrity and compliance policies and provides advice on I&C-related issues and reports.
Integrity Desk and Regulations for Reporting Integrity Issues
The Regulations for Reporting Integrity Issues (including whistle-blower reporting) guarantee that employees can report actual or suspected irregularities, that these reports will be dealt with carefully and confidentially and that employees will not experience any adverse consequences of having reported an incident. Employees have several options for (anonymously) reporting integrity issues or abuses: via the Integrity Desk on the internal network, via a special app, by email, by telephone or in a one-on-one conversation. An integrity violation report may result in a recommendation to the person who reported the issue and to the managers involved on any subsequent steps or measures. It may also be decided to investigate the cause of the incident and take specific measures if required. In 2020, a total of 66 integrity violation reports were received (2019: 96). The number of reports dropped in the second quarter, which is presumably due to the fact that most people were working from home and had fewer contacts. In the second half of the year however, figures returned to their pre-COVID level. Of all finalised reports in 2020, 39% were found to be wholly or partially founded.
Employees may seek support from one of NS's confidential advisors if they want to report an integrity violation (or another issue). In 2020, they did so on 80 occasions. External stakeholders can report issues to a special desk.
Advice and information for employees
On the Integrity Portal on the intranet, employees can find a wealth of information about integrity and compliance-related issues. For instance, the portal includes a current overview of NS's integrity and compliance policies. Employees can also use the Integrity Portal to submit specific issues and dilemmas to I&C. Alternatively, they can ask questions by telephone or drop by in person. I&C will then advise them about possible solutions and measures.
In addition, employees receive regular information about current developments and issues, for example during the Integrity Week. We also use messages, thematic bulletins and newsletters to draw our employees' attention to themes such as communication and behaviour, conflicts of interests or social conduct. I&C organises dilemma sessions for all parts of the organisation, from the Executive Board to teams in the various regions, in which teams are invited to discuss issues surrounding integrity, compliance and social conduct. In 2020, 377 of such dilemma sessions and dialogues were held.
Compliance
We are aware that as a state participation we serve as an example to other players, must be transparent on our regulatory compliance and act with integrity at all times. We are keen to ensure that we comply with all the applicable laws and regulations and abide by the standards and values in force.
In these efforts, NS is bound to an extensive compliance framework that governs compliance with external laws and regulations such as the Railways Act, the Competition Act, the main rail network franchise, NS's obligations under the CLA, and the Working Hours Act. In addition, we apply internal policy frameworks such as the NS Code of Conduct, the procurement regulations and the train drivers' manual. NS has a compliance management structure in order to ensure that we keep abreast of this multitude of rules, standards and norms and are able to bring our social responsibility into practice. These requirements have been translated into performance indicators and norms regarding aspects such as competition, tendering procedures, privacy issues and work requirements. We also have a dashboard for NS as a whole, covering the key risks and issues regarding integrity and compliance, plus an overview of all relevant KPIs. In addition, NS pursues a nationwide Desired Behaviour Programme to improve existing social behaviours on the shop floor. The NS Code of Conduct serves as the guiding document for this programme. NS also invests in raising the knowledge of its employees about specific compliance themes. For example, in 2020 we ran a series of training programmes on competition and privacy.
Privacy
The need to handle our passengers' and employees’ personal data carefully is self-evident. Our approach is based on four guiding principles: ‘Transparent’, ‘Safe with NS’, ‘Choice and control’ and ‘Innovative and open’. To safeguard compliance with privacy laws, NS has set up a privacy structure and privacy governance system and maintains a permanent focus on privacy training and awareness, for example through (compulsory) e-learning programmes, training courses and newsletters. We have appointed ‘privacy champions’: employees who, in addition to their regular work, answer first-line questions and serve as the eyes and ears of the Privacy Office within their respective business units. Together with the Data Protection Officer and the Privacy Officers, these privacy champions make up the privacy function within NS. This enables us to maintain short lines of communication between the business units and the privacy experts and to create an extensive network for privacy-related knowledge within NS as a whole.
Despite NS's careful handling of customer and employee data, incidents cannot be ruled out. For instance, a person may lose a mobile phone that was not locked. In a more serious incident last year, NS International sent more customer data to Facebook than the customers themselves had given permission for. Those data have since been deleted. The most problematic incident however was an attack in which hackers used passwords obtained from elsewhere to access the accounts of NS customers. The customers concerned were informed and their passwords reset. In cases such as these, NS notifies the supervisory authority and/or the person concerned. In all cases, data leaks also serve as input for process improvements.
Effective and careful data processing starts with applying privacy-by-design principles. According to this method, NS integrates measures to protect the privacy of individuals in the very design of a product or service. NS also frequently conducts data protection impact assessments to identify any risks for individuals and take measures to mitigate those risks.