Proactive risk management, as it has been understood by and regularly practiced in the voestalpine Group, serves to ensure the Group’s existence as a going concern in the long term and to boost its value and thus is key to the success of the voestalpine Group on the whole. The existing risk management system is rooted in a general policy that applies throughout the Group and is continually updated and refined. The systematic risk management process helps management to both identify risks early on and initiate appropriate precautionary measures with the aim of averting or preventing risks. In the sense of responsible corporate management that is oriented toward sustainability and shareholder value alike, risk management is an integral part of the decision-making and business processes at all hierarchy levels of all of the company’s divisions. Risk management covers both the strategic and the operational levels and thus is a major factor in the Group’s sustainable success.
Strategic risk management serves to evaluate and safeguard the Group’s strategic planning. The strategy is reviewed as to its conformity with the Group’s system of objectives in order to ensure value-added growth through the best possible allocation of resources. Operational risk management is based on a revolving procedure (“identify and analyze, assess, manage, document, and monitor”) that is run several times a year uniformly across the entire Group. Operational risk management also includes ensuring conformity with the given strategy. Identified risks are appraised using a nine-field assessment matrix that evaluates possible losses and the probability of their occurring. In the main, this involves documenting operational, environmental, market, procurement, technological, financial, human resource, compliance, and IT risks as well as other sustainability risks at both the strategic and the operational level. A supporting checklist is available for risk identification; it is regularly reviewed as to its topicality and adjusted as necessary. Taking both risk appetite and risk capacity into account, actions taken to control risk entail different strategies. This includes wording such as “avoid/avert,” “mitigate,” and “secure” as well as combinations thereof; the wording, “bear” risk, comes into play to the extent that financial considerations preclude any other actions. Local management is responsible for making decisions as to what steps to pursue and implement. The operating units appoint risk managers who, in coordination with the respective management, drive and are responsible for the decentralized risk management process in the given units. Risk management is supported by a special web-based IT system. Overall responsibility for risk management, however, rests with the Management Board of voestalpine AG.
Among other things, the Audit Committee of voestalpine AG is tasked with continually addressing questions related to risk management and the Internal Control System (ICS) as well as the monitoring thereof. Both risk management and internal control are integral components of existing management systems within the voestalpine Group. Internal Audit monitors all operational and business processes, including the risks associated with them, as well as the ICS. As regards both the reporting on and the appraisal of the audit results, Internal Audit acts as an independent in-house department not bound by instructions. An external auditor reviews and evaluates the design and suitability of the existing risk management process once a year (Rule 83 of the Austrian Code of Corporate Governance (ACCG)).