Report on the company’s risk exposure

      Proactive risk management, as it is understood and regularly practiced in the voestalpine Group, serves to ensure the Group’s existence as a going concern in the long term as well as to increase its value, and is thus a key success factor. Risk management guidelines are rooted in a general policy that applies throughout the Group, and the risk management system is continuously updated and refined. In order to achieve corporate goals in the best possible way, the systematic risk management process helps management to identify risks at an early stage and initiate suitable precautionary measures to avert or avoid dangers. In the interests of sustainable, responsible, and value-oriented corporate management, risk management is an integral part of decision-making and business processes in all areas of the company and at all hierarchical levels, and also includes the responsible use of resources and the environment as well as compliance with regulatory requirements. Risk management extends across both the strategic and operational levels. It is a key element for the Group’s sustainable success and makes a significant contribution to the successful implementation of the corporate strategy and the objectives derived from it.

      Strategic risk management serves to evaluate and safeguard strategic planning for the future. The strategy is reviewed as to its conformity with the Group’s system of objectives in order to ensure value-added growth through the best possible allocation of resources. Opportunities identified in the risk management process are taken up, considered in the strategy process and pursued further. Operational risk management, which also ensures conformity with the strategy, is based on a process that must be carried out several times a year uniformly throughout the Group (“identify and analyze, assess, manage, document, and monitor”).

      • A supporting checklist is available for risk identification; it is regularly reviewed as to its topicality and adjusted as necessary.
      • Identified risks are appraised using a nine-field assessment matrix that evaluates possible losses and the probability of their occurring. Essentially, this involves documenting operational, market, procurement, technology, financial, human resource, compliance, IT, and environmental risks as well as other sustainability risks on a strategic and operational level.
      • Risk management measures pursue different strategies taking into account risk appetite and risk-bearing capacity (such as “avoid,” “mitigate,” “secure,” and combinations thereof; the wording, “bear” risk, comes into play to the extent that financial considerations preclude any other actions). Local management is responsible for making decisions as to what steps to pursue and implement.
      • The risk management process, including documentation and monitoring, is supported by a special web-based IT system.

      The operating units appoint risk managers who, in coordination with the respective management, drive and are responsible for the decentralized risk management process in the given units. The findings of the risk management process are also part of the regular divisional and Group controlling meetings, in which significant changes in the risk landscape are reported at the business unit or divisional level. The Management Board of voestalpine AG receives standardized reports on risk management every six months and on an ad hoc basis as required. Overall responsibility for risk management lies with the Management Board of voestalpine AG.

      Among other things, the Audit Committee of voestalpine AG continuously addresses issues relating to risk management and the internal control system (ICS) as well as the monitoring thereof. Both risk management and internal control are integral components of existing management systems within the voestalpine Group. Internal Audit monitors all operational and business processes and the associated risks as well as the ICS. As regards both the reporting on and the appraisal of the audit results, Internal Audit acts as an independent in-house department not bound by instructions. The functionality of the submitted risk management system applied is again reviewed annually by an external auditor (Rule 83 of the Austrian Code of Corporate Governance). The Audit Committee also receives a report on risk management every six months.