Report on the company’s risk exposure

      Proactive risk management, as it has been understood by and regularly practiced in the voestalpine Group, serves to ensure the Group’s existence as a going concern in the long term and to boost its value and thus is key to its success. Risk management requirements are rooted in a general policy that applies throughout the Group, and the risk management system is updated and refined on an ongoing basis. The systematic risk management process helps management to both identify risks early on and initiate appropriate precautionary measures in order to avert or prevent risks and thus achieve the company’s aims as effectively as possible. Considered in terms of responsible corporate management that is oriented toward sustainability and shareholder value, risk management is an integral part of the decision-making and business processes at all hierarchy levels of all of the company’s divisions. It also encompasses responsible approaches to resources and the environment as well as compliance with regulatory requirements. Risk management covers both the strategic and the operational levels and is therefore a major factor in the Group’s sustainable success.

      Strategic risk management serves to evaluate and safeguard the Group’s strategic planning for the future. This strategy is reviewed as to its conformity with the Group’s system of objectives in order to ensure value-added growth through the best possible allocation of resources. Operational risk management is based on a revolving procedure (“identify and analyze, assess, manage, document, and monitor”) that is implemented several times a year uniformly across the entire Group; questions regarding its conformity with the given strategy are also addressed as part of this process.

      • A supporting checklist is available for risk identification; it is regularly reviewed to ensure that it is up to date and adjusted as necessary.
      • Identified risks are appraised using a nine-field assessment matrix that evaluates possible losses and the probability of their occurring. In the main, this involves documenting operational, market, procurement, technological, financial, human resource, compliance, IT, and environmental risks as well as other sustainability risks at both the strategic and the operational level.
      • Taking both risk appetite and risk capacity into account, actions taken to control risk entail different strategies. This includes wording such as “avoid/avert,” “mitigate,” and “secure” as well as combinations thereof (the wording “bear risk” comes into play to the extent that financial considerations preclude any other actions). Local management is responsible for making decisions as to what steps to pursue and implement.
      • The risk management process, including documentation and monitoring, is supported by a special web-based IT system.

      The operating units appoint risk managers who, in coordination with the respective management, actively drive and are responsible for the decentralized risk management process in their units. Insights gained from the risk management process also are integral to regular controlling-related discussions at the divisional and Group level, during which material changes in the risk environment of the business units and the divisions are reported. Risk management reports are submitted to the Management Board of voestalpine AG on a semi-annual basis and ad hoc when necessary. Overall responsibility for risk management rests with the Management Board of voestalpine AG.

      Among other things, the Audit Committee of voestalpine AG is tasked with continually addressing questions related to risk management and the internal control system (ICS) as well as the monitoring thereof. Both risk management and the ICS are integral components of existing management systems within the voestalpine Group. Internal Audit monitors all operational and business processes, including the risks associated with them, as well as the ICS. As regards both the reporting on and the appraisal of the audit results, Internal Audit acts as an independent in-house department not bound by instructions. An external auditor, in turn, reviews and evaluates the design and suitability of the applicable risk management process once a year (Rule 83 of the Austrian Code of Corporate Governance). Risk management reports are also submitted to the Audit Committee semi-annually.