Internal control and risk management

The purpose of this section is to provide shareholders and other parties with a description of how the internal control and risk management of financial reporting is organized in Outokumpu. As a listed company, the Group has to comply with a variety of regulations. To ensure that all the stated requirements are met, Outokumpu has introduced principles for financial reporting and internal control and deployed them throughout the company’s organization.

Control environment

The foundation of Outokumpu’s control environment is the business culture established within the Group and its associated methods
of operation. The basis for the company’s compliance and control routines is provided by Group policies and principles, which define
the way in which Outokumpu’s organization operates. These policies and principles include, for example, the Corporate Responsibility
Policy and Ethics Statement. The Outokumpu Code of Conduct describes the Group’s basic values and offers standardized, practical
guidelines for managers and employees to follow. Furthermore, the Internal Control Policy, the Approval Policy and the Identity and
Access Management Policy define many of the principles related to the system of internal controls.

The performance management and the risk management processes are key management activities in enabling an efficient control
environment. In all sections of the Group’s operations, the planning activities and the setting of both operational and financial
targets are executed in accordance with Outokumpu’s overall business targets. Management follow-up of related achievements and risks is carried out through regular management reporting and meeting routines.

In 2020, Outokumpu has established a separate Internal Control function to oversee and develop Outokumpu’s system of internal
controls. The new function is also responsible for Group-wide governance, risk and compliance coordination. With the lead of the Internal Control function, Outokumpu has continued the measures to develop and implement global, aligned and consistent risk management and the internal control process, which is expected to provide improved assurance for the Group to reach its key targets. In the course of 2021, the new risk management and internal control processes will be implemented wider to cover the key entities and functions of the Group.

Risk management

Outokumpu operates in accordance with the risk management policy approved by the company’s Board of Directors. The policy defines the objectives, approaches, and areas of responsibility in the Group’s risk management activities. In addition to supporting Outokumpu’s strategy, the aim of risk management is identifying, evaluating, mitigating and controlling risks from the perspective of shareholders, customers, suppliers, personnel, creditors, and other stakeholders.

Risk management organization

The Board of Directors carries ultimate responsibility for risk management within Outokumpu. The CEO and members of the Leadership Team are responsible for defining and implementing risk management procedures, and for ensuring that risks are both properly addressed and considered in strategic and business planning. Outokumpu’s Risk Management Steering Group, led by the CFO, is the governing body for risk management in Outokumpu.

The Business areas and Group functions are responsible for managing the risks connected with their own operations. The Risk Management Steering Group and the Board of Directors review the key risks and actions to be taken to manage these risks on a regular basis. The Treasury and Risk Management function supports the implementation of Outokumpu’s risk management policy, facilitates and  coordinates risk management activities, and prepares quarterly risk reports for management, the Board Audit Committee and Auditors.

Risk management process

Outokumpu has defined risk as anything that could have an adverse impact on achieving the Group’s objectives. Risks can, therefore,
be threats, uncertainties, or lost opportunities connected with current or future operations. Outokumpu’s appetite for risk and risk
tolerance are defined regularly in relation to earnings, cash flows, and capital structure. The risk management process is an integral part
of the overall management processes and is divided into four stages: 1) risk identification; 2) evaluation and prioritization; 3) mitigation
and controls and 4) reporting. The risk management process in Outokumpu is two-fold: a top-down approach to manage the Group’s
key risks and a bottom-up approach focusing on operational level risks.

Within Outokumpu, the risk management process is monitored and controlled at different organizational levels. Regular risk updates are
carried out to capture relevant information. The monitoring of the results and risk updates also ensure that accurate information is provided both internally – to business area management teams and members of the Leadership Team – and externally to relevant parties such as shareholders and other stakeholders. Risk mitigation actions are defined according to the risk identification and the impact/likelihood assessments.

Focus areas

The focus in risk management in 2020 was on implementing the mitigation actions of the identified risks, supporting debt reduction at
Outokumpu e.g. by focused working capital management and by improving the overall efficiency of the risk management process.
Furthermore, the harsh market environment, especially in Europe, required several mitigating actions to protect the Group’s earnings
and cash flows.

Outokumpu continued its systematic fire safety and loss prevention audit program, focusing on execution of the mitigating actions. Due to the 2020 travel restrictions, many audits were conducted virtually using in-house expertise in cooperation with external advisors.

The main realized risks in 2020 were related to the disruption of the stainless steel markets due to the pandemic, and imports that continued to have a negative impact on stainless steel base prices and deliveries in Europe throughout the year.

Internal controls for financial reporting

Outokumpu’s control process for financial reporting is mainly based on the Internal Control Policy, Outokumpu Accounting Principles
and the Approval Policy, as well as on the responsibility and authorization structure within the Group. Policies relating to financial
reporting are usually owned and approved by the CEO and the CFO. Financial reporting in Outokumpu is carried out in a harmonized
way using a common chart of accounts and principles.

Financial reporting is prepared in a harmonized way in accordance with International Financial Reporting Standards (IFRS). The Outokumpu Accounting Principles (OAP) are Outokumpu’s application guidance on IFRS. The aim of the OAP and other financial reporting policies and instructions is to ensure that uniform financial processes and reporting practices are used throughout the Group. Policies and instructions for financial reporting are reviewed on a regular basis and revised when necessary.

In 2020, Outokumpu implemented a process and solution to report financial statements in the European Single Electronic Platform (ESEF). Outokumpu also launched a new financial closing management system to develop quality, consistency and transparency of the controls around financial closing process including account reconciliations and manual journals. At the end of 2020 the new processes covered more than half of the targeted scope. In 2021, Outokumpu will further implement its financial closing management system across the Group and plans to continue developing its financial reporting process and related controls.

The financial statements of the parent company and stand-alone Finnish subsidiaries are prepared in accordance with generally
accepted accounting principles in Finland, while foreign subsidiaries follow local accounting principles. Outokumpu also complies with the regulations regarding the financial reporting published by the Financial Supervisory Authority (FIN-FSA), Nasdaq Helsinki, and ESMA.

Identification and assessment of risks related to financial reporting

The risks related to the Group’s financial reporting are managed according to Outokumpu’s risk management process and classified a 
events such as misconduct or crime. The risks related to financial reporting are identified and typically assessed in risk workshops and in
2020 one focus area was the risk related to inventory valuations.

Control activities

In addition to the Board of Directors, finance management at all levels as well as the Boards of subsidiary companies are responsible for
ensuring that the internal controls relating to financial reporting are in place. Outokumpu has centralized the majority of its accounting and financial reporting in its global business service centers, which enables the efficient execution of internal control activities.

The aim of control activities is to discover, prevent, and correct the potential errors and deviations in financial reporting. Control activities also aim to ensure that authorization structures are designed and implemented in such a way that incompatible tasks (i.e. one person performing a critical activity and also being responsible for controlling that activity) are segregated. Control activities consist of different kinds of measures and include reviews of financial reports by Group management and in business area management teams, the reconciliation of accounts, analyses of the logic behind reported figures, forecasts compared to actual reported figures, and analyses of the Group’s financial reporting processes, among others. A key component is the monitoring of monthly performance against financial and operational targets. These control activities take place at different levels of the organization.

The most important accounting items in Outokumpu are the valuation and reporting of inventories and other items requiring management judgment, such as provisions. Moreover, in difficult market situations, such as the current COVID-19 pandemic, asset impairment calculations and the related sensitivity analyses are equally important. These items are carefully monitored and controlled on a regular basis, both within business areas and at the Group level.

Information technology and solutions play an important role in ensuring the appropriate structures for internal controls. The Group’s
consolidation system provides timely and uniform financial and management reporting from the Group entities and an effective
closing process within the whole Group.

Outokumpu is also running a business transformation program to develop and improve business capabilities and to renew parts of its
fragmented system environment. This will be achieved mainly by harmonizing and improving the Group’s core business processes and
implementing supporting IT systems, with improved system-based controls embedded in processes. The first rollouts of the new ERP together with other related IT systems took place during 2019. Further rollouts of the system will take place in 2021 as the scheduled rollouts for 2020 were postponed partly due to the COVID-19 pandemic.

Outokumpu has centralized the majority of its accounting and financial reporting in its global business service centers, which enables further development and harmonization opportunities for internal control activities.

Information and communication

Group-wide policies and principles are available to all Outokumpu employees. Instructions relating to financial reporting are communicated to all of the parties involved. The main communication channels employed are regular controller meetings, Outokumpu’s intranet, other easily accessible databases, and email.

In the pandemic situation with remote work promoted, only a very limited number of face-to-face controller meetings have been
organized. Finance Leadership Team meetings are organized regularly to share information and discuss issues of topical interest to the
Group. Furthermore, Outokumpu has established steering groups (e.g. for risk management and compliance topics) in which financial reporting and internal control issues can be discussed and reviewed. These groups typically consist of senior members of management and substance experts. The aim of these bodies is to ensure that common financial processes and reporting practices are followed throughout the Group and that effective internal controls relating to financial reporting are established.

Follow-up

Both management in all Outokumpu companies and personnel in the accounting and controlling functions are responsible for the
follow-up and monitoring of internal controls connected with financial reporting. Through its activities, the Internal Audit function monitors
that an appropriate control environment exists across the Group. Risk management, compliance function, and external auditors are also
engaged in the follow-up of control activities. The findings of the follow-up procedures are reported to the Board Audit Committee and the Outokumpu Leadership Team on a regular basis.

Internal audit

Internal Audit is an independent and objective assurance, control, and consulting function designated to add value, improve operations,
and monitor and support the organization in the achievement of its objectives. Through a systematic, disciplined approach, Internal Audit
determines whether governance and compliance processes, the internal control system, and the risk management process, as designed
and represented by the Board of Directors and the Outokumpu Leadership Team, are effective and efficient.

With a strong commitment to integrity and accountability, Internal Audit provides value to the Board of Directors and senior
management as an objective and direct source of information, insights and independent advice. Internal Audit monitors adherence to
Group principles, policies and instructions, and leads investigations on fraudulent and noncompliant behaviors and activities. Internal
Audit performs its function on behalf of and directly reports to the Board Audit Committee and to the executive management. The internal audit plan is approved by the Board Audit Committee. In addition, the function may carry out unscheduled audits when needed.

In 2020, Internal Audit performed six operational audits. The results of the audits that were carried out, including their risk appraisals,
are reported and distributed in writing. In view of the Outokumpu Code of Conduct and the Corporate Responsibility Policy, no issues of
material risk for the Outokumpu Group were identified. The 2021 internal audit plan will focus on strategy implementation, key projects
and certain Group companies selected based on assumed level of different types of risk.

Outokumpu encourages everyone to raise their concerns. There are several ways to report alleged misconduct, including SpeakUp, an
externally operated communication channel, that offers the option to report misconduct confidentially and anonymously, if allowed by
the laws and regulations.

SpeakUp is available both internally on company intranet and for external stakeholders via the company webpage. More than twenty
investigations of potential misconduct were recorded in 2020, and thereof 16 cases were reported via SpeakUp and 6 were recognized
through other channels.

During the year Internal Audit provided additional support e.g. in investigation of the possible segregation of duty issues in the
system environment.

Compliance

Outokumpu is strongly committed to the highest ethical standards and complies with the applicable laws and regulations of the
countries in which it operates as well as with the agreements and commitments it has made.

Outokumpu’s Code of Conduct sets out these ethical standards and provides guidelines for a common way of operating with the aim of
ensuring that all Outokumpu employees live up to Outokumpu’s ethical standards.

Outokumpu’s Legal and Compliance function is responsible for managing and continuously developing Outokumpu’s ethics and
compliance program. Outokumpu’s ethics and compliance program is described in more detail as part of Outokumpu & society
at www.outokumpu.com. The Legal and Compliance function reports to the CEO and to the Outokumpu Leadership Team as wellas directly to the Board Audit Committee on compliance-related matters. Compliance-related matters are also regularly handled in
the Compliance Steering Group, consisting of the CEO, CFO, Head of HR and Organization Development, Head of Internal Audit, Corporate General Counsel and Head of Compliance. The Compliance Steering Group met four times in 2020. A network of compliance contact persons supports the local implementation of the ethics and compliance program in the business areas and business support functions.