Strategy, Governance,
and Risk Management

Strategy

At Cisco, our Purpose includes our work related to ethical business practices, digital skills and learning, employee development, social impact and inclusion, and energy and sustainability.

Cisco's Purpose is to Power an Inclusive Future for All, and our People, Policy, and Purpose organization leads our strategic approach to Purpose performance and transparency. Within this organization, teams are responsible for:

• Developing and driving Purpose strategy through monitoring and analysis of multiple inputs, including global trends and Cisco's business strategy
• Working cross-functionally to help set priorities, align initiatives, and shape governance practices across business functions
• Leading various assessments for reporting, including double materiality assessment
• Engaging with a wide range of internal and external stakeholders, as described in more detail on the Stakeholder Engagement page
• Conducting research to inform strategic decisions and share thought leadership
• Stewarding the creation of our annual Purpose Report and Purpose Reporting Hub

Business functions also own Purpose priorities. Teams integrate priorities into their business strategies by setting goals, implementing plans, and measuring performance. Many priorities and goals involve multiple functions, with cross-functional teams established to support alignment and accountability.

Governance and Risk Management

Cisco's Responsible Business Steering Committee, comprised of cross-functional senior leaders, provides oversight and management of Cisco's Purpose initiatives and reports on these matters to our Executive Leadership Team (ELT) and, as appropriate, the Board of Directors.

The Board of Directors, acting directly and through its committees, is responsible for oversight of Cisco’s risk management activities. Cisco’s management teams are responsible for day-to-day risk management activities — implementing practices, processes, and programs designed to help manage the risks to which we are exposed in our business and aligning risk-taking appropriately with our efforts to increase stockholder value. Management teams provide regular updates to the Board of Directors.

Cisco has an enterprise risk management (ERM) program that works across the business to identify, assess, govern, and manage risks and Cisco’s response to those risks. Cisco’s internal audit function performs an annual risk assessment, which is utilized by the ERM program. The ERM program's structure includes an ERM operating committee that focuses on risk management-related topics and an ERM executive committee consisting of members of our ELT.

The Governance, Risk, and Controls (GRC) organization manages Cisco's internal audit function. GRC operates under the International Standards for the Professional Practice of Internal Auditing (the Standards) as published by the Institute of Internal Auditors (the IIA, www.theiia.org). The Standards require an external assessment to be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organization. GRC’s last external assessment was completed in June 2022 and achieved the rating of “Generally Conforms with the International Standards for the Professional Practice of Internal Auditing and the IIA Code of Ethics,” which is the highest rating in evaluating compliance to the Core Principles for the Professional Practice of Internal Auditing and the Definition of Internal Auditing.

The Board, directly and through the Audit Committee, oversees our financial and risk management policies, including data protection initiatives comprising both privacy and security management. The Board receives regular reports on ERM from the chair of the ERM operating committee, as well as regular reports on cybersecurity from Cisco’s Chief Security and Trust Officer. Other Board committees oversee certain categories of risk associated with their respective areas of responsibility.

The Public Policy Committee of the Board oversees the company’s initiatives, policies, programs, and strategies concerning public policy and certain related matters, as more fully set forth in the Committee's Charter. Such oversight by the Public Policy Committee includes reviewing, as appropriate, the company’s annual Purpose Report and related matters.

The Compensation and Management Development Committee of the Board oversees the development and implementation of Cisco’s practices, strategies, and policies used for recruiting, managing, and developing employees (i.e., human capital management).