Proactive risk management, as it has been understood by and practiced in the voestalpine Group for many years, serves to both ensure the existence of the Group as a going concern in the long term and boost its value and thus is key to the success of the voestalpine Group on the whole.
The voestalpine Group has had a comprehensive risk management system since the business year 2000/01, which is rooted in a general policy that applies throughout the Group and has been updated and expanded repeatedly since then.
This systematic risk management process assists management in identifying risks early on and initiating appropriate action to avert or prevent dangers. In the sense of responsible corporate management that is oriented toward both the long term and shareholder value, risk management is an integral part of the decision-making and business processes of all of the company’s divisions and hierarchy levels. Risk management covers the strategic and operational levels and is therefore a major element in the sustainable success of the Group.
Strategic risk management serves to evaluate and safeguard the strategic planning for the future. The strategy is reviewed as to its conformity with the Group’s system of objectives in order to ensure value-added growth based on the best possible allocation of resources.
Operational risk management is based on a revolving procedure (“identify and analyze, assess, manage, document, and monitor”) that is run several times a year uniformly across the entire Group. Operational risk management also includes ensuring conformity with the given strategy.
Identified risks are appraised using a nine-field assessment matrix that evaluates the extent of possible losses and the probability of their occurring. In the main, operational, environmental, market, procurement, technological, financial, compliance, and IT risks are documented at both the strategic and the operational level. The risk management process is supported by a special web-based IT system.
Since the coming into force of the Austrian Company Law Amendment Act of 2008 (Unternehmensrechts-Änderungsgesetz) and the resulting increase in the importance of the internal control system (ICS) and the risk management system, an Audit Committee has been set up at voestalpine AG which, among other things, is also tasked with continually addressing questions related to risk management and the ICS as well as the monitoring thereof; see also the “Audit Committee” chapter of this Annual Report. Both the risk management and the internal control systems are integral components of existing management systems within the voestalpine Group. Internal Audit monitors the operational and business processes and associated risks as well as the ICS and, in its capacity as an independent in-house department not bound by instructions, also has full discretion with respect to both the reporting on and the appraisal of the audit results.
Availability of raw materials and energy supplies
In order to ensure the supply of raw materials and energy in the required quantities and quality in the long term, the voestalpine Group has for some years already pursued a diversified procurement strategy that is appropriate to the heightened political and economic risks of this globalized market. Long-term supply relationships, the expansion of the supplier portfolio as well as the development of the Group’s self-sufficiency are the core elements of this strategy, which remain as important as before given the volatility of the raw materials markets; for details see the “” chapter of this Annual Report. As far as energy supplies are concerned, the Group is continually on the lookout for alternative energy resources.
Guideline for hedging the raw materials price risk
An internal guideline defines the objectives, principles, and responsibilities as well as the methodology, procedures, and decision-making processes that are applied to the handling of raw materials risks. Based thereon and taking into account individual specificities of the respective Group company’s business model, prices are hedged by way of delivery contracts containing fixed price agreements or by way of derivative financial instruments. Financial derivatives are deployed to hedge raw materials procurement contracts.
The CO2 issue
Failure of production facilities
In order to minimize the risk of critical facilities breaking down, ongoing targeted and comprehensive investments are made to technically optimize sensitive units. Supplementary measures encompass consistent preventive maintenance, risk-oriented storage of spare parts as well as employee training.
Failure of it systems
At the majority of the Group’s sites, business and production processes, which are largely based on complex information technology (IT) systems, are serviced by voestalpine group-IT GmbH, a company that specializes in IT and is wholly owned by the Group holding company voestalpine AG. Given the importance of IT security and in order to continue minimizing possible IT breakdown and security risks, minimum IT security standards that also encompass guidance on business continuity management were developed in the past. These minimum standards are regularly adapted to new circumstances, and compliance is reviewed annually by way of an audit. Additional periodic penetration tests are carried out in order to further reduce the risk of unauthorized access to IT systems and applications. Broad online campaigns aimed at further sensitizing our employees to security issues were carried out yet again in the business year just ended. Increasingly, attention is being paid also to the topic of cyber security as part of these online campaigns. Evidence of cyber fraud attacks (such as social engineering, CEO fraud, man-in-the-middle attacks related to payments and deliveries) are collected by a working group, preventive measures are developed, and existent measures are reviewed and adjusted as necessary. In addition, extensive online campaigns were carried out and special e-learning programs were initiated to both prevent potential cyber fraud attacks and further sensitize our employees to these risks.
Knowledge management / Project management
In order to sustainably safeguard the Group’s knowledge—in particular, to prevent the loss of its know-how—complex projects initiated in the past are consistently refined on a continuous basis. Besides permanently documenting all available knowledge, new findings from key projects as well as lessons learned as the result of unplanned events are analyzed and incorporated as appropriate. Detailed process documentation, especially in IT-supported areas, also contributes to securing the available knowledge.
A diverse range of project management tools and suitable project monitoring are used to counteract any project risks (e.g. investments, the project business). Insights gained from earlier activities are also collected in the sense of lessons learned and form the basis of the ongoing enhancement of already available tools to ensure that they are consistently applied in future projects.
Compliance violations (e.g. antitrust and corruption violations) represent a significant risk and may have adverse effects in that they may trigger both financial losses and damage to the Group’s reputation. A Group-wide compliance management system is designed particularly to counteract antitrust and corruption violations. Regarding antitrust proceedings and allegations, see chapter of the Notes.
Risks of noncompliance with data privacy requirements
Violations of requirements under data privacy laws may have adverse financial effects and lead to reputational damage. A data privacy unit was established on the basis of the data privacy requirements that apply throughout the Group. It helps the management of Group companies to carry out their responsibilities regarding compliance with statutory and intra-Group data privacy requirements.
Financial risk management is organized centrally with respect to policy-making power, strategy determination, and target definition. The existent policies encompass targets, principles, duties, and responsibilities for both Group Treasury and the financial departments of the individual Group companies. Financial risks are monitored continuously and hedged where feasible. In particular, this strategy aims to bring about natural hedges and to reduce the fluctuations in both cash flows and income. Market risks are largely secured through derivative financial instruments that are used exclusively in connection with an underlying transaction.
Specifically, financing risks are hedged using the following measures:
Liquidity risks generally consist of a company being potentially unable to meet its financial obligations. Existent liquidity reserves enable the company to duly meet its obligations even in times of crisis. Furthermore, a precise financial plan that is prepared on a revolving quarterly basis is the primary instrument for controlling liquidity risks. Group Treasury centrally determines the need for funds and bank credit lines based on the consolidated operating results.
Credit risk refers to financial losses that may arise from the non-fulfillment of contractual obligations by individual business partners. The credit risk of the underlying transactions is largely minimized by way of extensive credit insurance and bankable securities (guarantees, letters of credit). The default risk related to the Group’s remaining own risk is managed by way of defined credit assessment, risk evaluation, risk classification, and credit monitoring processes. Counterparty credit risk in financial contracts is managed daily by monitoring the ratings of counterparties and any changes in their credit default swap (CDS) levels.
Foreign exchange risk
The primary objective of foreign currency risk management is to create a natural hedge (cross-currency netting) within the Group by bundling the cash flows. In this connection, hedges are implemented centrally by Group Treasury using derivative hedging instruments. voestalpine AG hedges the budgeted (net) foreign currency cash flows for the next 12 months. Longer-term hedging is carried out only in connection with contracted project business. The hedging ratio is between 25% and 100% of the budgeted cash flows within the next 12 months.
Interest rate risk
voestalpine AG conducts interest rate risk assessments centrally for the entire Group. In particular, this entails managing cash flow risks (i.e. the risk that interest expense or interest income may undergo an adverse change). As of the March 31, 2019, reporting date, any increase in the interest rate by one percentage point would raise the net interest expense by EUR 14.3 million in the following business year. However, this is a reporting date assessment that may be subject to significant fluctuations over time. Interest-bearing investments have also been made, because voestalpine AG maintains a liquidity reserve to ensure the availability of liquidity. In order to avoid interest rate risks stemming from these investments, the interest rate exposure on the asset side (expressed by way of the modified duration) is coupled with the interest rate exposure on the liability side (asset/liability management).
voestalpine AG also assesses price risks, primarily using scenario analyses for the purpose of quantifying interest and currency risks.
Uncertainties stemming from legislation
Energy tax rebate in Austria
It must be noted with respect to the Austrian energy tax rebate that the Austrian Federal Finance Court (Bundesfinanzgericht) has directed a request for a preliminary ruling to the European Court of Justice (ECJ) (BFG 10/31/2014, RE/5100001/2014). The amendment of the Austrian Energy Tax Rebate Act (Energieabgabenvergütungsgesetz) by means of the 2011 Austrian Budget Accompanying Act (Budgetbegleitgesetz – BBG 2011), which applies to periods after December 31, 2010, limited the energy tax rebate to manufacturing companies. Subsequently, the question as to whether this restriction, which may be deemed state aid, violated European Union law was submitted to the ECJ for a preliminary ruling; the highest court has by now answered the question in the affirmative (ECJ 07/21/2016, docket no. C-493/14, Dilly’s Wellnesshotel GmbH). This means that the restrictions envisioned in the BBG 2011 have not taken effect. Therefore, service providers, in particular, can retroactively apply for the energy tax rebate for periods after February 1, 2011. In its subsequent ruling, the Austrian Federal Finance Court declared that the restriction to manufacturing companies did not take effect. The Austrian fiscal authorities appealed this decision to the Austrian Higher Administrative Court (Verwaltungsgerichtshof), which in September 2017 (decision dated 09/14/2017, EU 2017/0005 and 0006-1) again sought recourse with the ECJ. The final applications of the advocate general were filed on February 14, 2019. To date, it is not known when the decision on the matter pending before the ECJ (C-585/17) will be handed down. No adverse impact is anticipated for the voestalpine Group.