ÖBB Annual Report 2025

Group Management Report 70 Österreichische Bundesbahnen-Holding Aktiengesellschaft Consolidated Financial Statements | Group Management Report 27 Personnel, management and organization The shortage of skilled workers in Austria leads to the risk of bottlenecks in the personnel area due to the lack of availability of certain employee groups – such as shunters or bus drivers – or increased fluctuation. ÖBB has put various action plans in place to counteract this social development. ÖBB continuously improves its employer branding, recruitment marketing and recruiting. To counter potential criminal conduct by employees, emphasis is placed primarily on preventive measures such as training, alongside reactive measures and early detection efforts. Uncertainties regarding the development of individual remuneration components lead to possible risks with regard to the wage bill. The risk potential is reduced by observing the facts, conducting negotiations and, if necessary, providing legal support. Law and liability Appropriate application of the Code of Conduct counteracts the risk of violations of (association) criminal and antitrust law provisions and the resulting fines and imprisonment that may be imposed. The Code of Conduct governs the ethical principles and general principles on which the Group’s business activities are based. The activities of the Compliance Office and the corresponding training programs also mitigate risk. The existing compliance management system is an essential part of the risk early warning and monitoring system, particularly in this area of risk. In addition, the responsible legal departments deal with risks arising from ongoing business activities. They are supported by the Compliance department with its expertise in antitrust law. These actions subsequently also serve to prevent risk and therefore also to avert or reduce damage. Dynamic changes in legal regulations and regulatory frameworks can, for example, lead to increased system costs due to new technical or organizational requirements. This applies at both national and international level. Accordingly, developments are carefully monitored and examined for possible impacts in order to be able to react at an early stage. The management of legal risks and liability risks is ensured both by preventive action and by the targeted handling of impending risks. With the introduction of control and reporting systems, precautionary measures have been implemented to mitigate the potential risks. The Code of Conduct also serves this purpose by defining general behavioral instructions. Appropriate training, awareness-raising among all employees and managers, and creating clear areas of responsibility also serve to minimize risk. Risks and opportunities arising from ongoing proceedings are mapped in opportunity and risk management and reduced through appropriate support from the responsible legal departments. Purchasing and procurement Possible price increases for traction services, infrastructure services, vehicles or rents are potential risks for Purchasing. The risk situation is reduced by monitoring and analyzing the markets. This allows specific procurement and sales decisions to be made in combination with the corresponding contractual arrangements. In addition to the issue of price, the risk portfolio also includes the aspect of limited or excessive availability (e.g., of spare parts or specific rolling stock). These risks are mitigated through intensive contact with suppliers and service providers as well as potential procurement alternatives. In the energy sector, there is a delivery default risk for electricity, which is reduced by an internal limit system – the monitoring of trading partners – and by diversification across a broader supplier portfolio. Data processing System failures can lead to increased costs, revenue losses, as well as legal consequences. A large number of action plans are constantly being implemented to mitigate this risk. In addition to availability, the focus is also on ensuring the other aims of protecting information security: confidentiality and integrity. The comprehensive information security strategy is implemented in a structured and comprehensive manner. This takes place both in regular operations and as part of programs and projects. ÖBB also has the topics of “generative artificial intelligence (AI)” and “security” on its agenda. Awareness measures were implemented with regard to the use of generative AI and corresponding governance regulations were established in line with the European Union (EU) AI Regulation 2024/1689. The examples of the aforementioned actions and initiatives illustrate the broad spectrum of strategic and operational actions taken to ensure that information security is planned and managed systematically. In connection with potential information security risks, the Group-wide development of key potential threat scenario should be noted separately. Possible impacts were specifically defined, assessed and assigned corresponding action plans. | MR27