voestalpine AG

GOV-5 – Risk management and internal controls over sustainability reporting

ESG Content

GOV-5 – Risk management and internal controls over sustainability reporting

ORGANIZATIONAL ANCHORING OF SUSTAINABILITY AT voestalpine

The Group Sustainability department, which was newly created at Group level in 2023, is responsible for all sustainability agendas at voestalpine. It acts as a central coordination point for corporate responsibility management and all sustainability initiatives. In addition, a secondary organization was established in the reporting period in the form of a board and committee structure in order to ensure consistent cross-functional and cross-divisional cooperation at all levels. This structure also includes risk management processes and internal control mechanisms related to sustainability reporting.

Organizational structure – Sustainability management

Organizational structure – Sustainability management (graphic)

Group Sustainability department

The Group Sustainability (GS) department is responsible for coordinating reporting and regularly updating report content in consultation with the relevant departments and in compliance with legal standards. GS is responsible for implementing an internal control system (ICS) as part of sustainability reporting, insofar as the processes are not already covered by an existing ICS (e.g., ICS for financial processes).

Internal Audit and Risk Management department

Risk management is responsible for Group-wide risk management as well as for Internal Audit. The ICS for sustainability reporting supplements existing internal control systems (finance, sales, personnel) at voestalpine. Therefore, responsibility for monitoring the processes lies with the Internal Audit and Risk Management department.

Specialist departments

All relevant departments are responsible for the correct and complete provision of the necessary data and information required for sustainability reporting. It is the responsibility of the individual departments to ensure adherence to the respective ICS requirements for sustainability reporting.

The sustainability reporting processes are embedded within the overarching risk management structures, including internal control systems. The numerous Group policies, published on the intranet, define Group-wide minimum standards and provide the framework for ethical, responsible, and sustainable business conduct, incorporating basic principles of internal control systems, such as:

  • The dual control principle
  • Functional separation
  • Transparency and traceability
  • Need-to-know principle
  • Security of property and assets

An integral part of the risk analysis and assessment is the comprehensive materiality assessment conducted in accordance with ESRS, which ensures that all sustainability topics relevant to voestalpine are identified and considered in the sustainability report. In the business year 2023/24, the perspective of stakeholders was increasingly incorporated into this analysis. An audit ensures that the identified topics are covered in the sustainability report.

Sustainability reporting is subject to risks, such as human error, incomplete data, or inconsistent information. Risks relate in particular to the accuracy of data entries and manual processing steps in the reporting process.

Furthermore, the materiality assessment conducted as part of the initial application of ESRS posed a particular challenge: In certain areas, such as biodiversity, there was limited reliable information available at the time of the assessment to accurately assess concrete impacts as well as financial risks and opportunities. voestalpine is working to systematically improve its expertise and the underlying data foundation in these areas.

voestalpine has implemented a series of control mechanisms to minimize risks in sustainability reporting to the greatest possible extent:

  • The CSRD project core team regularly reviews the requirements for sustainability reporting and the regulations during the reporting process.
  • Internal experts from a wide range of specialist departments as well as external experts examine the topic-specific chapters, carry out cross-comparisons with other chapters (dual control principle), and review or validate subject-specific content.
  • The Group Sustainability Committee reviews and subsequent approves the material intended for publication.
  • In addition, the sustainability report is subject to an external audit with limited assurance.
  • In areas where data is incomplete—such as biodiversity—voestalpine systematically documents any information gaps. These then serve as the basis for the further development of the materiality assessment and reporting in future reporting periods.

The appointed auditors conduct analytical audit procedures and conduct sample audits as part of the limited assurance process for the company’s sustainability report. Audit activities performed by the external auditor are described in the assurance statement.

Furthermore, voestalpine has implemented additional internal controls based on its risk assessment in the sustainability report. These include quantitative and qualitative audit mechanisms, the involvement of key corporate functions, and the participation of the Group-wide Sustainability Board. These controls are complemented by system-based access controls and automated input controls in the IT systems used for sustainability reporting.

Related links

Services

All Downloads at a glance
Create your own overview of key data
ESRS Content Index

Topics filter

Results