Risk Management and Internal Control System

Risikomanagement & Internes Kontrollsystem

Risk Management

The Zumtobel Group is well aware that an effective opportunity and risk management system – as well as an internal control system – represents an important factor for maintaining and expanding its competitive position. Risk management in the Zumtobel Group covers the direct interaction and handling of risks to protect the asset, financial and earnings positions of the Group and to support the identification of opportunities and the evaluation of entrepreneurial decisions. The goal of risk management is to identify risks and opportunities at an early point in time through a systematic approach, and thereby permit the implementation of suitable measures to deal with changes in the operating environment. Risk management in the Zumtobel Group is an independent strategic process as well as an integral part of operational management. The basic instruments for the monitoring and management of risks are the risk management software which was installed in all Group companies as well as standardised planning and controlling processes, Group guidelines, regular reporting and the internal control system.

The corporate risk management department, a section of the controlling department at corporate headquarters, is responsible for the continuous development of risk management processes as well as the coordination of Group-wide risk management and risk monitoring. The risk management system used by the Zumtobel Group is closely linked with corporate controlling processes and the internal control system. The underlying framework for these two systems is formed by the principles of the COSO model. Guidelines and process descriptions for risk management are available to all companies in the Zumtobel Group.  


Reporting plays a central role in the monitoring and management of economic risks. The operating units provide the Management Board with regular information on the current and expected development of business as well as the existing risks and available opportunities. In addition, the Audit Committee of the Supervisory Board receives semi-annual reports on the Group’s major risks and opportunities. The tools and processes used by the Group to identify and evaluate risks are continuously developed and improved with the support of internal audit and the auditor. The auditor evaluates the effectiveness of risk management at Zumtobel Group each year and reports to the Supervisory and Management Boards on the results of this review.

Internal Control System

The internal control system in the Zumtobel Group (abbreviated in the following as “ICS“) supports the attainment of corporate goals. The ICS is defined as the total of all process-based monitoring and management measures to safeguard Group assets, to ensure the completeness and reliability of information and systems, to support the efficiency and effectiveness of processes and to guarantee compliance with legal, contractual and internal rules and regulations.

The structure and design of the Zumtobel Group’s ICS are based on recognised international governance guidelines such as the framework issued by the Committee of the Sponsoring Organizations of the Treadway Commission (COSO) and the IT framework (COBIT) published by the Information Systems Audit and Control Association (ISACA), which are adapted where necessary to reflect the Group’s business model. The scope of the design and formalisation of the ICS follows a strict risk orientation (benefits), which is critically compared with the expected added expense (costs).

Designated business process managers are responsible for the implementation and updating of the ICS in the individual functional areas, regions and/or business divisions. The ICS is closely linked with the organisationally separate enterprise risk management process, which systematically records and aggregates risks for the process managers on a regular basis and, together with the related measures, issues reports for various levels up to the Supervisory Board.


Monitoring activities are carried out by the quality assurance units in the specialist departments together with the organisationally separate corporate audit and compliance department which has a dual reporting line to the Management Board and Audit Committee. The monitoring process covers the design of controls as well as their operational effectiveness. A strictly organised follow-up process ensures that any identified weak points are eliminated as quickly as possible. The designated monitoring functions are based on strict professional standards and subject to regular external review.

Internal audit       

The corporate internal audit department of Zumtobel Group AG (corporate audit & compliance) is a staff department that reports directly to the Management Board. The head of the department provides regular reports to the Audit Committee of the Supervisory Board on the planning for and most important results of its work. The internal audit charter approved by the Management Board creates the foundation for all internal audit activities. This charter and the entire audit process in the Zumtobel Group are based on the international standards defined by the Institute of Internal Auditors (IIA). Compliance with these standards is reviewed and confirmed at least every five years by an external specialist, whereby the last review took place in March 2016.

The standard corporate internal audits are defined in an annual schedule, which is approved by the Management Board and coordinated with the Audit Committee. It is the result of the Group-wide structured identification and analysis of qualitative and quantitative risk factors relating to processes, units and projects. The preparation of the audit schedule is closely coordinated with risk management and covers the content-related review of risk trends and efficiency in operating processes as well as the monitoring of compliance with legal regulations and internal guidelines. The activities of corporate internal audit also include ad hoc audits at the request of the Management Board and, depending on the team’s available expertise, consulting projects. In accordance with § 243a (2) of the Austrian Commercial Code and Rules 69 and 70 of the Austrian Corporate Governance Code, the management report must include a description of the key features of the internal control system and the risk management system related to the accounting process.



add to download list