Report on the company’s risk exposure

      Proactive risk management—as it has been understood by and regularly practiced in the voest­alpine Group for many years—serves to ensure the Group’s existence as a going concern in the long term and to boost its value; it is thus key to the success of the voestalpine Group on the whole. The existing risk management system is rooted in a general policy that applies throughout the Group and is continually updated and refined.

      Among other things, the Audit Committee of voest­alpine AG is tasked with continually addressing questions related to risk management and the Internal Control System (ICS) as well as the monitoring thereof. Both risk management and internal control are integral components of existing management systems within the voestalpine Group. Internal Audit monitors all operational and business processes, including the risks associated with them, as well as the ICS. As regards both the reporting on and the appraisal of the audit results, Internal Audit acts as an independent in-house department not bound by instructions.

      The systematic risk management process helps management to both identify risks early on and initiate appropriate precautionary measures with the aim of averting or preventing dangers. In the sense of responsible corporate management that is oriented toward sustainability and shareholder value alike, risk management is an integral part of the decision-making and business processes at all hierarchy levels of all of the company’s divisions. Risk management covers both the strategic and the operational levels and thus is a major factor in the Group’s sustainable success.

      Strategic risk management serves to evaluate and safeguard the Group’s strategic planning. The strategy is reviewed as to its conformity with the Group’s system of objectives in order to ensure value-added growth through the best possible allocation of resources. Operational risk management is based on a revolving procedure (“identify and analyze, assess, manage, document, and monitor”) that is run several times a year uniformly across the entire Group. Operational risk management also includes ensuring conformity with the given strategy. Identified risks are appraised using a nine-field assessment matrix that evaluates possible losses and the probability of their occurring. In the main, this involves documenting operational, environmental, ­market, procurement, technological, financial, compliance, and IT risks at both the strategic and the operational level. Actions taken to control risk entail different strategies such as risk avoidance and mitigation, the securing of assets, combinations of these approaches as well as the ­capacity to bear risk; local management is responsible for making decisions as to what steps to pursue and implement. The operating units appoint risk managers who, in coordination with the respective management, drive and are responsible for the decentralized risk management process in the given units. Overall responsibility for risk management, however, rests with the Management Board of voestalpine AG.

      Risk management is supported by a special web-based IT system. An external auditor reviews and evaluates the design and suitability of the pro­cess once a year (Rule 83 of the Austrian Corporate Governance Code (ACGC)).