Description of material fields of risk

In order to ensure the supply of raw materials and energy in the required quantities and quality in the long term, the voestalpine Group has for some years already pursued a diversified procurement strategy that is appropriate to the heightened political and economic risks of this globalized market. Long-term supply relationships, expansion of the supplier portfolio as well as development of the Group’s self-sufficiency are the core elements of this strategy, which remain as important as before given the volatility of the raw materials markets (for details, see the “Raw Materials” chapter of this Annual Report). As far as energy supplies are concerned, the Group is continually on the look-out for alternative energy resources.

On the whole, the pandemic is disrupting global supply chains. This may trigger limitations that are imposed by suppliers and/or customers or arise from disruptions in transportation routes.

An internal guideline defines objectives, principles, and responsibilities as well as methodologies, procedures, and decision-making processes in connection with the handling of raw materials risks. Based thereon and taking into account individual specificities of the respective Group company’s business model, prices are hedged by means of delivery contracts containing fixed price agreements or by means of derivative financial instruments. Financial derivatives are deployed to hedge raw materials procurement contracts.

Risks associated with CO₂ are covered separately in the “Environment” chapter of this Annual Report.

In order to minimize the risk of critical facilities breaking down, ongoing targeted and comprehensive investments are made to optimize sensitive units technologically. Supplementary measures encompass consistent preventive maintenance, risk-oriented storage of spare parts as well as appropriate employee training.

At the majority of the Group’s sites, business and production processes, which are largely based on complex information technology (IT) systems, are serviced by voestalpine Group-IT GmbH, a company that specializes in IT and is wholly owned by the Group holding company, voestalpine AG. Given the importance of IT security and in order to continue minimizing possible IT breakdown and security risks, minimum IT security standards that also encompass guidance on business continuity management were developed in the past. These minimum standards are regularly revised and adapted to new circumstances; compliance with these new standards is reviewed annually by way of an audit. Additional periodic penetration tests are carried out to further reduce the risk of unauthorized access to IT systems and applications. Broad online campaigns aimed at further sensitizing our employees to security issues were carried out yet again in the business year just ended. Increasingly, attention is being paid also to the topic of cyber security as part of these online campaigns. A working group collects evidence of potential cyber fraud attacks (such as social engineering, CEO fraud, man-in-the-middle attacks related to payments and deliveries), develops preventive measures, and reviews and adjusts existent measures as necessary. In addition, extensive online campaigns are carried out and initiatives launched with respect to special e-learning programs to both prevent potential cyber fraud attacks and further sensitize our employees to these risks.

In order to sustainably safeguard the Group’s knowledge—in particular, to prevent the loss of its know-how—complex projects initiated in the past are consistently and continually refined. Besides permanently documenting all available knowledge, new findings from key projects as well as lessons learned as the result of unplanned events are implemented as appropriate. Detailed process documentation, especially in IT-supported areas, also contributes to securing the available knowledge.

A diverse range of project management tools and suitable project monitoring are used to counteract any project risks (e.g., investments, the project business). Insights gained from earlier activities are also collected in the sense of lessons learned and form the basis of the ongoing enhancement of already available tools to ensure that they are consistently applied in connection with future projects.

Compliance violations (e.g., antitrust and corruption violations) represent a significant risk and may have adverse effects in that they may trigger both financial losses and damage to the Group’s reputation. A Group-wide Compliance management system is designed particularly to counteract antitrust and corruption violations. Regarding antitrust proceedings and allegations, see item 19 in the Notes.

Violations of requirements under data protection laws may have adverse financial effects and lead to reputational damage. A data protection unit was established on the basis of the data protection requirements that apply throughout the Group. It serves to help the management of Group companies carry out their responsibilities regarding compliance with statutory and intra-Group data protection requirements.

Financial risk management is organized centrally with respect to policy-making power, strategy determination, and target definition. The existing policies include targets, principles, duties, and responsibilities for both Group Treasury and the financial departments of the individual Group companies. Financial risks are monitored continuously and hedged where feasible. In particular, this strategy is aimed at natural hedges and at reducing the fluctuations in both cash flow and income. Market risks are largely hedged through derivative financial instruments that are used exclusively in connection with an underlying transaction.

Liquidity risks generally consist of a company being potentially unable to raise the funds necessary to meet its financial obligations. Existing liquidity reserves enable the company to meet its obligations even in times of crisis. Furthermore, a precise financial plan that is prepared on a revolving, quarterly basis is the primary instrument for controlling liquidity risk. Group Treasury centrally determines the need for financing and bank credit lines based on the consolidated operating results.

Group Treasury conducted additional reviews in order to take current conditions resulting from the COVID-19 crisis into account. The planned liquidity needs for the next 12 months are to be covered by a liquidity reserve.

Credit risk refers to financial losses that may occur due to non-fulfillment of contractual obligations by individual business partners. The credit risk of the underlying transactions is minimized to a large degree through a large number of credit insurance policies and bankable securities (guarantees, letters of credit). The default risk related to the Group’s remaining own risk is managed by way of defined credit assessment, risk evaluation, risk classification, and credit monitoring processes. As of March 31, 2020, 81% of the company’s trade receivables were covered by credit insurance. The pandemic may trigger both a tightening of credit limits on the part of loan insurers and greater charge-offs of receivables. Counterparty credit risk in financial contracts is managed by way of daily monitoring of the ratings and any changes in the counterparties’ credit default swap (CDS) levels.

The primary objective of foreign currency risk management is to create a natural hedge (cross-currency netting) within the Group by bundling the cash flows. In this connection, hedges are implemented centrally by Group Treasury based on derivative hedging instruments. voestalpine AG hedges the budgeted foreign currency payments (net) for the next 12 months. Longer-term hedging is carried out only in connection with contracted project business. The hedging ratio is between 25% and 100% of the budgeted cash flows within the next 12 months.

voestalpine AG conducts the interest rate risk assessment centrally for the entire Group. In particular, this entails managing cash flow risks (i.e., the risk that interest expense or interest income may undergo an adverse change). As of the March 31, 2020, reporting date, any increase in the interest rate by one percentage point would result in an increase of the net interest expense by EUR 10.9 million in the next business year. However, this is a reporting date assessment that may be subject to fluctuations over time.

voestalpine AG also assesses price risk, primarily using scenario analyses for the purpose of quantifying interest and currency risks.