Proactive risk management, as continuously understood and practiced by the voestalpine Group, serves to ensure the existence of the Group as a going concern in the long term and to boost its value and thus is key to the success of the voestalpine Group on the whole.
The voestalpine Group has had a comprehensive risk management system since the business year 2000/01, which is fleshed out in a general policy that applies throughout the Group and has been updated and refined repeatedly since then.
An Audit Committee has been in place at voestalpine AG since the coming into force of the Austrian Company Law Amendment Act of 2008 (Unternehmensrechts-Änderungsgesetz) and the resulting increase in the importance of both the internal control system (ICS) and the risk management system. Among other things, the Audit Committee is tasked with continually addressing questions related to risk management and the ICS as well as the monitoring thereof (see also the “” chapter of this Annual Report). Both the risk management and the internal control systems are integral components of existing management systems within the voestalpine Group. Internal Audit monitors all operational and business processes and the risks associated with them as well as the ICS. As regards both the reporting on and the appraisal of the audit results, it acts as an independent in-house department not bound by instructions.
This systematic risk management process assists management in identifying risks early on and initiating appropriate precautionary measures to avert or prevent dangers. In the sense of responsible corporate management that is oriented toward both sustainability and shareholder value, risk management is an integral part of the decision-making and business processes of all of the company’s divisions and hierarchy levels. Risk management covers the strategic and operational levels and thus is a major element in the Group’s sustainable success.
Strategic risk management serves to evaluate and safeguard the strategic planning for the future. The strategy is reviewed as to its conformity with the Group’s system of objectives in order to ensure value-added growth by way of the best possible allocation of resources.
Operational risk management is based on a revolving procedure (“identify, analyze, assess, manage, document, and monitor”) that is run uniformly across the entire Group several times a year. Operational risk management also includes ensuring conformity with the given strategy.
Identified risks are appraised using a nine-field assessment matrix that evaluates possible losses and the probability of their occurring. In the main, operational, environmental, market, procurement, technological, financial, Compliance, and IT risks are documented at both the strategic and the operational level. The risk management process is supported by a special web-based IT system.