voestalpine AG

GOV-5 – Risk management and internal controls over sustainability reporting

ESG Content

GOV-5 – Risk management and internal controls over sustainability reporting

Organizational anchoring of sustainability at voestalpine

The Group Sustainability department, which was established in 2023, is responsible for and coordinates Corporate Responsibility Management and all sustainability agendas. In addition, a secondary organization was established in the reporting period in the form of a board and committee structure including competence teams from the functions and divisions in order to ensure consistent cross-functional and cross-divisional cooperation at all levels. This structure also includes risk management processes and internal control mechanisms related to sustainability reporting.

Organizational structure – sustainability management

The diagram illustrates the organizational and governance structure of voestalpine’s sustainability management. At the primary organization level, it depicts the Supervisory Board and the Executive Board, including the CEO and CFO functions, as well as the four divisions: Steel, High Performance Metals, Metal Engineering, and Metal Forming. Responsibility for sustainability is anchored primarily within Group Sustainability (GS), as well as decentralized across the individual divisions, each with its own sustainability team. The secondary organization comprises a multi-level coordination and management system. The Sustainability Board consists of the CEO, CFO, divisional Executive Board members, the Head of Group Sustainability, the divisional Heads of Sustainability, and the Head of Corporate Development. The Group Sustainability Committee consists of the Head of Group Sustainability, the divisional Heads of Sustainability, topic owners, and other experts. In addition, Competence Teams support the technical handling of specific sustainability topics. (graphic)

Group Sustainability department

The Group Sustainability (GS) department is responsible for coordinating reporting and regularly updating report content in consultation with the relevant departments and in compliance with legal standards. GS is responsible for implementing an internal control system (ICS) as part of sustainability reporting, insofar as the processes are not already covered by an existing ICS (e.g., ICS for financial processes).

Other specialist areas

  • Internal Audit and Risk Management department

Risk management is responsible for Group-wide risk management as well as for Internal Audit. The ICS for sustainability reporting supplements existing internal control systems (e.g., finance, sales, personnel) at voestalpine. Therefore, responsibility for monitoring the processes lies with the Internal Audit and Risk Management department.

  • Specialist departments

All relevant departments are responsible for the correct and complete provision of the necessary data and information required for sustainability reporting. It is the responsibility of the individual departments to ensure adherence to the respective ICS requirements for sustainability reporting.

In order to meet the requirements for consistent, complete, and reliable sustainability reporting in accordance with ESRS, in the last business year the existing processes were expanded and adapted to the specific requirements of sustainability reporting. The internal control system (ICS) for the voestalpine sustainability reporting is based on the internationally recognized COSO framework (Committee of Sponsoring Organizations of the Treadway Commission – Internal Control – Integrated Framework). This framework is based on the following five key components:

  1. Control environment

  2. Risk evaluation

  3. Control mechanisms

  4. Information and communication

  5. Monitoring

Control environment

The sustainability reporting processes are embedded within the overarching risk management structures, including internal control systems. The numerous Group policies, published on the intranet, define Group-wide minimum standards and provide the framework for ethical, responsible, and sustainable business conduct. They include basic ICS principles such as:

  • The dual control principle

  • Functional separation

  • Transparency and traceability

  • Need-to-know principle

  • Security of property and assets

At voestalpine, risk management and internal control mechanisms are designed to identify, assess, and mitigate the risks that may affect the Group’s financial and sustainability reporting. The voestalpine ICS comprises guidelines, procedures, and controls which are regularly reviewed and updated in order to be able to respond adequately to new risks, taking into account regulatory requirements.

With regard to sustainability reporting, the identification of reporting-related risk sources and effective control mechanisms was further expanded in business year 2025/26.

Risk evaluation

Sustainability reporting is subject to risks, such as human error, incomplete data (bases), or inconsistent information. Risks relate in particular to the accuracy of data entries and manual processing steps in the reporting process. This also includes risks of incomplete or late data reporting, potential errors due to manual calculation steps, and deviations that can result from heterogeneous system landscapes.

In certain areas, such as biodiversity, there was limited reliable information available at the time of the IRO‑1 – E4 assessment to accurately assess concrete impacts as well as financial risks and opportunities. voestalpine is working to systematically develop its competencies and the underlying data base in these areas.

Control mechanisms

voestalpine has implemented a series of control mechanisms to minimize the sustainability reporting risks identified in the risk evaluation to the greatest possible extent:

The CSRD project core team regularly reviews the requirements for sustainability reporting and the regulations during the reporting process. The collection of quantitative data is mainly carried out by standardized queries or IT systems including (automated) input checks, release notes, and subsequent plausibility checks. These controls are complemented by system-based access controls and automated input controls in the IT systems used for sustainability reporting. Internal experts from a wide range of specialist departments examine the topic-specific chapters, carry out cross-comparisons with other chapters (dual control principle), and review or validate subject-specific content. The Group Sustainability Committee reviews and subsequently approves the material intended for publication. In areas where data is incomplete—such as biodiversity—voestalpine systematically documents any information gaps. These then serve as the basis for the further development of the materiality assessment and reporting in future reporting periods. Central Group functions are integrated into the implementation of individual quantitative and qualitative audit mechanisms, and the Group-wide Sustainability Board is also involved.

In addition, the sustainability report is subject to an external audit with limited assurance. The appointed auditors conduct analytical audit procedures and conduct sample audits as part of the limited assurance process for the company’s sustainability report. Audit activities performed by the external auditor are described in the assurance report.

Accordingly, voestalpine has preventive and detective control measures in place in relation to the production of qualitative and quantitative report content. Preventive measures include, in particular, standardized data collection templates and defined term classifications, system-side validation and automated input checks, as well as ensuring appropriate access and authorization structures in the IT systems used. Detective control activities include specialist and technical plausibility checks, deviation analyses, sample-based test procedures and formalized dual control approval processes. The proper implementation of these checks is already verified and documented in many areas by system logs, storage systems, and/or defined storage structures.

Information and communication

The responsibilities in the entire process (see organizational structure for sustainability management) are clearly defined. A reporting calendar with milestones and dependencies for financial reporting as well as Group-wide, written requirements for data collection and documentation in the form of a handbook are in place to ensure the timely dissemination of information and complete reporting. In addition, the results of the risk assessment and the internal control mechanisms related to sustainability reporting are regularly communicated to the relevant institutions. This includes reporting to the Management Board and providing additional information to the Internal Audit and Risk Management departments to ensure transparent monitoring and continuous improvement.

Monitoring

The aim is to ensure the monitoring of the reporting process by combining structured process design with clearly defined responsibilities and a multi-layered control framework. Control actions, including ongoing plausibility checks, documented controls in some areas, as well as periodic reviews of process effectiveness—such as internal checks and audits—are designed to ensure that the sustainability reporting meets regulatory requirements and that data quality, transparency and traceability are high.

CSRD
Corporate Sustainability Reporting Directive.
ESRS
European Sustainability Reporting Standards.

Related links

Services

All Downloads at a glance
Create your own overview of key data
ESRS Content Index
Report archive

What would you like to learn more about?

Results