Report on the company’s risk exposure

Proactive risk management, as consistently practiced in the voestalpine Group, helps safeguard the Group’s long-term viability and enhance its value, making it a key success factor. Risk management guidelines are embedded in a Group-wide standard operating procedure. The risk management system is continuously updated and further developed. In order to achieve corporate goals in the best possible way, the systematic risk management process helps management to identify risks at an early stage and initiate suitable precautionary measures to avert or avoid dangers. In the interests of sustainable, responsible, and value-oriented corporate management, risk management is an integral part of decision-making and business processes in all areas of the company and at all hierarchical levels, and includes the responsible use of resources and the environment, as well as compliance with regulatory requirements. Risk management covers both the strategic and operational levels. It is a key element for the Group’s sustainable success and makes a significant contribution to the successful implementation of the corporate strategy and the objectives derived from it.

Strategic risk management serves to evaluate and safeguard strategic planning for the future. The strategy is reviewed as to its conformity with the Group’s strategic objectives in order to ensure value-added growth through optimal resource allocation. Opportunities identified through the risk management process are integrated into strategic planning and actively followed up. Operational risk management, which also ensures conformity with the Group’s strategy, is based on a standardized process conducted several times a year across the Group (“identify and analyze, assess, address, document, and monitor”).

• A comprehensive checklist is available to support risk identification. It is regularly reviewed as to its relevance and updated as necessary.
• Identified risks are appraised using a nine-field assessment matrix that evaluates possible losses and the likelihood of occurrence. Essentially, this involves documenting operational, market, procurement, technology, financial, human resource, compliance, IT, and environmental risks as well as other sustainability risks at both the strategic and operational levels.
• Risk mitigation measures follow different strategies, such as “avoid,” “reduce,” “transfer,” and combinations thereof, based on the Group’s risk appetite and risk-bearing capacity. Where no further measures appear economically viable, a risk may also be accepted. Local management is responsible for defining and implementing the measures.
• The risk management process, including documentation and monitoring, is supported by a dedicated web-based IT solution.

Each operational unit has designated risk managers who, in coordination with the respective management, actively drive the risk management process within their units and also hold decentralized responsibility for its implementation. The findings of the risk management process are also part of the regular divisional and Group controlling meetings, in which significant changes in the risk landscape are reported at the business unit or divisional level. There is also regular, close coordination with sustainability management at divisional and Group levels. The Management Board of voestalpine AG receives standardized reports on risk management every six months as well as on an ad hoc basis when required. Overall responsibility for risk management lies with the Management Board of voestalpine AG.

Among other things, the Audit Committee of voestalpine AG continuously addresses issues relating to risk management and the internal control system (ICS), as well as the monitoring thereof. Both risk management and the internal control are integral components of existing management systems within the voestalpine Group. Internal Audit monitors all key operational and business processes, their associated risks including related controls, as well as the ICS. As regards both the reporting on, and the appraisal of, audit results, Internal Audit acts as an independent in-house department not bound by instructions. The functionality of the established risk management system is in turn reviewed annually by an external auditor (Rule 83 of the Austrian Code of Corporate Governance). The Audit Committee receives semi-annual reports on risk management and the internal control system.