Internal control

Management is responsible for internal control in the company and it has implemented a risk management and control system, which is designed to ensure our business is focused on achieving its objectives and that significant risks are identified and mitigated to the extent possible. The system is also designed to ensure compliance with relevant laws and regulations.

The company’s risk management and internal control system is designed to determine risks in relation to the achievement of business objectives and appropriate risk responses.

This includes management reviews, reviews of the design and implementation of the company’s risk management approach and business and functional audit committees. Based on those reviews, the management provides an assessment each year, as required by law, of the effectiveness of the company’s internal control structure and the procedures for financial reporting.

It should be noted, however, that the above does not imply that these systems and procedures provide certainty as to the realisation of operational and financial business objectives, nor can they prevent all misstatements, inaccuracies, errors, fraud and non-compliance with rules and regulations.

This statement cannot be construed as a statement in accordance with the requirements of section 404 of the US Sarbanes-Oxley Act.


Risk management

As part of its commitment to sound corporate governance, ArcelorMittal has set up a process of risk identification and management. Risks are owned and managed by line management. Risk function facilitates the conversations and help monitoring the action plans. Critical risks are escalated through existing reporting lines. Critical risk decisions are not dissociated from the other decisions.

The audit and risk committee  assists the board of directors with the oversight of risks to which the ArcelorMittal group is exposed and in the monitoring and review of the  risk-management framework and process.



The Audit and Risk Committee (Committee) is established by and among the Board to ensure that the interests of the shareholders are properly protected in relation to risk management, internal control and financial reporting by:

  1. Overseeing the integrity of the financial reports and other financial information provided by the company to any governmental body or the public;
  2. Overseeing the company’s compliance with legal and regulatory requirements;
  3. Overseeing the registered public  accounting firm’s (Independent Auditor) qualifications and independence
  4. Overseeing the company’s system of internal control regarding finance, accounting, legal compliance, ethics and risk management that management and the board have established;
  5. Overseeing the company’s auditing, accounting and financial reporting processes generally;
  6. Overseeing the identification and management of risks to which the ArcelorMittal group is exposed.

Consistent with this function, the Committee should encourage continuous improvement of, and should foster adherence to, ArcelorMittal policies, procedures and practices at all levels. The Committee should also provide for open communication among the independent auditor, financial and senior management, the internal audit function, and the board of directors,

The Committee has the authority to conduct investigations into any matters within its scope of responsibility and obtain advice from outside legal, accounting, or other advisers, as necessary, to perform its duties and responsibilities.

In carrying out its duties and responsibilities, the Committee shall also have authority to meet with and seek any information it requires from employees, officers, directors, or external parties.

The Committee will comprise four to five members all of whom are independent under the company’s corporate governance guidelines, the New York Stock Exchange (NYSE) standards and the 10 Principles of Corporate Governance of the Luxembourg Stock Exchange.

At least one member will qualify as an “audit committee financial expert” as defined by the SEC and determined by the Board.

At least one member will qualify as an “risk management expert” having experience in identifying, assessing, and managing risk exposures of large, complex companies

The Committee members will be appointed by the Board and serve until their successors are elected. A chairperson is elected by the Board.


Cyber Security

ArcelorMittal continually monitors legal requirements and best practices in the United States, the European Union including Luxembourg, where ArcelorMittal is incorporated, to make improvements to its Cyber Security and General Data Protection Regulation (“GDPR”) standards and procedures when necessary.

ArcelorMittal has a robust IT Cyber Crisis Response Plan in place which provides a documented framework for handling high severity Cyber Security incidents and facilitates coordination across multiple parts of the ArcelorMittal group (the “Group”).

The Group’s Audit & Risk Committee is responsible for overseeing cybersecurity risk, information security, and technology risk, as well as management’s actions to identify, assess, mitigate, and remediate material issues. The Committee also regularly receives reports from its independent advisor regarding our cybersecurity programme.

Self-assessments and independent 3rd party audits are performed on a regular basis to benchmark (Internal & External) our Cyber Security Maturity Level for segments and for the Group. This includes, but is not limited to, ensuring that only the data necessary is processed, data storage periods are kept at a minimum, and the accessibility to the Personal Data is limited.

The implementation of an Information Systems Security Program does not mean that all responsibility for securing data rests with the IT departments. It is up to each segment/unit leadership to build and organize, in close coordination with the Group CISO Office, the awareness of their end-users.

Our Cyber Security framework is available in full here.



We have an established procedure for whistleblowing, including a whistleblowing policy, which all our employees and all other stakeholders can access. If they have an issue they feel they can’t raise with their line manager or with local management, they can use the whistleblowing process to report it through our website or by post to the following address:

Audit and Risk Committee
BP 78
L-5201 Sandweiler
G.D. of Luxembourg
This policy complies with the US Sarbanes-Oxley Act.