Report on the company’s risk exposure
Proactive risk management, as embedded in the voestalpine Group, serves to secure the company’s long-term viability and ensure sustainable value growth, and represents a key success factor. Risk management guidelines are established in the form of a Group-wide procedural instruction, and the risk management system is continuously updated and further developed. To achieve corporate goals as effectively as possible, the structured risk management process supports management in identifying risks at an early stage, assessing their potential impacts, and initiating appropriate precautionary measures to avert or prevent hazards. As an integral part of responsible, sustainable, and value-oriented corporate governance, risk management is firmly embedded in the decision-making and business processes of all business units and hierarchical levels and also encompasses the responsible use of resources and environmental protection in compliance with regulatory requirements. Risk management extends to both the strategic and operational levels. Risk management is a key element of sustainable corporate success and makes a significant contribution to the implementation of the corporate strategy and the achievement of the associated objectives.
Strategic risk management supports the evaluation and safeguarding of strategic corporate planning. The strategy is reviewed for compliance with the target system to ensure value-enhancing growth through the best possible allocation of resources. Opportunities identified in the risk management process are addressed, incorporated into the strategy process, and pursued. Operational risk management—which also ensures compliance with the strategy—follows a uniform, Group-wide process that is carried out several times a year (“identify and analyze, assess, manage, document, and monitor”).
A comprehensive questionnaire is available to support risk identification; it is regularly reviewed for relevance and updated as necessary.
Identified risks are appraised using a nine-field assessment matrix that evaluates possible losses and the likelihood of occurrence. Essentially, this involves documenting operational, market, procurement, technology, financial, human resource, compliance, IT, and environmental risks, as well as other sustainability risks at both the strategic and operational levels.
Risk mitigation measures follow different strategies, such as “avoid,” “reduce,” “transfer,” and combinations thereof, based on the Group’s risk appetite and risk-bearing capacity. Where no further measures appear economically viable, a risk may also be accepted. Local management is responsible for defining and implementing the measures.
The risk management process is supported by a web-based IT application that ensures documentation and monitoring.
Risk managers are appointed in the operating units. In coordination with the respective leadership teams, they actively oversee the risk management process on a decentralized basis. Findings from the risk management process are also part of the regular divisional and Group-wide controlling meetings, in which significant changes in the risk landscape are reported at the business unit and divisional levels. Furthermore, there is regular and close coordination with sustainability management at the divisional and Group levels. The Executive Board of voestalpine AG receives standardized semi-annual reports on risk management, as well as ad hoc reports as needed. Overall responsibility for risk management lies with the Executive Board of voestalpine AG.
The Audit Committee of voestalpine AG also continuously addresses issues related to risk management, the internal control system, and their monitoring. Risk management and the internal control system are integral components of existing management systems within the voestalpine Group. Group Internal Audit reviews significant operational and business processes and the associated risks, including related control mechanisms such as the internal control system (ICS), and acts as an independent and autonomous internal department when evaluating audit results and in its reporting. The effectiveness of the established risk management system is, in turn, reviewed and assessed annually by external auditors (Rule 83 ÖCGK). The Audit Committee receives semi-annual reports on risk management and the internal control system.