Our strategy

Purpose management and governance

Cisco’s People, Policy, and Purpose organization leads our social investment programs and champions our commitment to Purpose performance and transparency.

Within this organization are teams responsible for:

• Setting and driving reporting strategy through multiple inputs, including analyses of internal and external stakeholder priorities, the reporting landscape, and Cisco’s business strategy
• Working cross-functionally to help determine priorities and drive the process for governance across business functions
• Setting and stewarding Cisco’s ESG materiality¹ assessments for our voluntary reporting
• Coordinating and supporting broad alignment and reporting on topics relevant to our Purpose
• Engaging with a wide range of internal and external stakeholders
• Researching and monitoring global trends
• Conducting bespoke research to inform strategic decisions and share as thought leadership
• Stewarding and developing our annual Purpose Report and Purpose Reporting Hub

Business functions also own Purpose priorities. Teams integrate priorities into their business strategy by setting goals, implementing plans, and measuring performance. Many priorities and goals involve multiple functions. To support accountability and alignment, we create cross-functional teams to execute these goals.

Risk management

Cisco’s leadership is responsible for day-to-day risk management activities. The Board of Directors, acting directly and through its committees, is responsible for the oversight of Cisco’s risk management. With the oversight of the Board of Directors, Cisco’s management implements practices, processes, and programs designed to help manage the risks to which we are exposed in our business and to align risk-taking appropriately with our efforts to increase stockholder value.

Cisco’s management implemented an enterprise risk management (ERM) program, managed by Cisco’s internal audit function, that works across the business to identify, assess, govern, and manage risks and Cisco’s response to those risks. Cisco’s internal audit function performs an annual risk assessment, which is utilized by the ERM program. The ERM program's structure includes an ERM operating committee that focuses on risk management-related topics and an ERM executive committee consisting of members of our executive leadership team.

Our Board, directly and through the Audit Committee, oversees our financial and risk management policies, including data protection (comprising both privacy and security), receives regular reports on ERM from the chair of the ERM operating committee, as well as regular reports on cybersecurity from Cisco’s Chief Security and Trust Officer multiple times a year. Other Board committees oversee certain categories of risk associated with their respective areas of responsibility.

The Environmental, Social, and Public Policy (ESPP) Committee of the Board oversees Cisco’s initiatives, policies, programs, and strategies concerning environmental sustainability and other key corporate social responsibility (CSR) and public policy matters, as more fully set forth in the Committee's Charter. The Compensation Committee of the Board oversees the development and implementation of Cisco’s practices, strategies, and policies used for recruiting, managing, and developing employees (i.e., human capital management). These practices, strategies, and policies focus on diversity and inclusion, workplace environment and safety, and corporate culture. In addition, the full Board receives updates on Cisco’s overall CSR strategy, including ESG matters, from management.

The Governance, Risk, and Controls (GRC) organization manages the company’s internal audit function. GRC operates under the International Standards for the Professional Practice of Internal Auditing (the Standards) as published by the Institute of Internal Auditors (the IIA, www.theiia.org). The Standards require an external assessment to be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organization. GRC’s last external assessment was completed in June 2022 and achieved the rating of “Generally Conforms with the International Standards for the Professional Practice of Internal Auditing and the IIA Code of Ethics,” which is the highest rating in evaluating compliance to the Core Principles for the Professional Practice of Internal Auditing and the Definition of Internal Auditing.

1 ESG materiality, as referred to on the Cisco Purpose Reporting Hub, and our ESG materiality assessment process are different from "materiality" in the context of SEC disclosure obligations and/or other applicable regulatory disclosures globally. Issues deemed material for our voluntary Purpose reporting and for determining our Purpose strategy may not be considered material for SEC and/or other regulatory purposes, nor does inclusion of information in our voluntary reporting indicate that the topic or information is material to Cisco's business or operating results.