Risk management
Cisco's leadership is responsible for day-to-day risk management activities. The Board of Directors, acting directly and through its committees, is responsible for the oversight of Cisco's risk management. With the oversight of the Board of Directors, Cisco's management has implemented practices, processes, and programs designed to help manage the risks to which we are exposed in our business and to align risk-taking appropriately with our efforts to increase stockholder value.
Cisco's management has implemented an enterprise risk management (ERM) program, managed by Cisco's internal audit function, that is designed to work across the business to identify, assess, govern, and manage risks and Cisco's response to those risks. Cisco's internal audit function performs an annual risk assessment, which is utilized by the ERM program. The structure of the ERM program includes both an ERM operating committee that focuses on risk management-related topics, as well as an ERM executive committee consisting of members of management. The ERM operating committee conducts global risk reviews and provides regular updates to the ERM executive committee.
The Audit Committee, which oversees our financial and risk management policies, including data protection (comprising both privacy and security), receives regular reports on ERM from the chair of the ERM operating committee, as well as regular reports on cybersecurity from Cisco's Chief Security and Trust Officer multiple times a year. Other Board committees oversee certain categories of risk associated with their respective areas of responsibility.
The Environmental, Social, and Public Policy Committee of the Board oversees Cisco's initiatives, policies, programs, and strategies concerning environmental sustainability and other key corporate social responsibility and public policy matters. The Compensation Committee of the Board oversees the development and implementation of Cisco's practices, strategies, and policies used for recruiting, managing, and developing employees (i.e., human capital management). These practices, strategies, and policies focus on diversity and inclusion, workplace environment and safety, and corporate culture. In addition, the full Board receives updates on Cisco's overall CSR strategy, including ESG matters, from management.
The Governance, Risk and Controls (GRC) organization manages the company’s internal audit function. GRC operates under the International Standards for the Professional Practice of Internal Auditing (the Standards) as published by the Institute of Internal Auditors (the IIA, www.theiia.org). The Standards require an external assessment to be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organization. GRC’s last external assessment was completed in June 2022 and achieved the rating of ‘Generally Conforms with the International Standards for the Professional Practice of Internal Auditing and the IIA Code of Ethics’ which is the highest rating in evaluating compliance to the Core Principles for the Professional Practice of Internal Auditing and the Definition of Internal Auditing.