Our due diligence framework and processes are modeled after the Organisation for Economic Co-operation and Development Due Diligence Guidance for Responsible Business Conduct and the United Nations Guiding Principles on Business and Human Rights.
The Cisco Supplier Code of Conduct (the “Code”) is a central component of our due diligence process. The Code sets forth our expectations of suppliers across five key areas: labor, health and safety, environment, ethics, and management systems. As a founding member of the Responsible Business Alliance (RBA), Cisco contributed to the development of the RBA Code of Conduct and adopted the Code as our own Supplier Code of Conduct. Using common standards for social and environmental responsibility enables participating companies to more effectively drive change across global supply chains.
We hold our suppliers — and their suppliers — accountable to the Code and other responsible sourcing policies, and we engage our suppliers to foster improvement through support and education. The Supply Chain Human Rights team develops and implements our due diligence strategy, including our engagement process described below:
New suppliers are assessed to identify potential social and environmental risks within their operations.
After suppliers are fully onboarded to provide products to Cisco, they become part of our regular supplier engagement process.
We evaluate suppliers based on social and environmental risk factors and Cisco's exposure to those risks from operations and production.
Suppliers produce CAPs and evidence that they have implemented their plans.
We require suppliers to complete RBA Self-Assessment Questionnaires (SAQs) and audit high-risk suppliers using RBA's Validated Assessment Program (VAP) to assess their conformance to our Code of Conduct.
Suppliers must address or downgrade priority issues within 30 days and other findings within 180 days.1
If nonconformances are found, we review and approve supplier Corrective Action Plans (CAPs) and monitor their progress toward closure.
For issues such as the monitoring of working hours, suppliers provide long-term improvement plans.
We offer training to help suppliers better align with our values and to drive continuous improvement. For example, we provide guidance and support to sites where practicable to engage workers on use of personal protective equipment (PPE).
Cisco works closely with suppliers until performance improves and to validate finding closure.
Suppliers produce CAPs and evidence that they have implemented their plans.
Suppliers must address or downgrade priority issues within 30 days and other findings within 180 days.1
For issues such as the monitoring of working hours, suppliers provide long-term improvement plans.
Cisco works closely with suppliers until performance improves and to validate finding closure.
1 In alignment with RBA guidance.
As Cisco continues to grow through its acquisition strategy, we have taken steps to embed responsible business into the evaluation process of target companies before closing. We initiate environmental and human rights risk assessments as soon as a target company is announced. We assess if the target company has policies and procedures to safeguard the environment and respect human rights within their operations and supply chains.
We assess new suppliers and new supplier sites during the onboarding process through a questionnaire designed to identify potential social and environmental risks. If risks are identified, we follow up with the supplier to further investigate and determine if the risks need to be addressed prior to launching or scaling business with the supplier. Examples of the types of risk that the questionnaire can identify include:
In fiscal 2025, we identified four sites with risks through this survey process, and these cases are either closed or in progress towards closure.
Our suppliers are required to refresh the RBA's industry-standard SAQs annually. This assessment gives suppliers insight into their own performance and helps Cisco develop leading indicators for risks that can be addressed during an audit or other due diligence processes. Data on SAQ Coverage by Supplier Type can be found on the Data and Assurance page.
Our due diligence processes follow a risk-based approach. Every year, we prioritize suppliers and sites for RBA's Validated Assessment Program (VAP) audits by assessing a variety of risk indicators. Our analysis includes geographic risk factors that may highlight social and environmental risks associated with the countries where our suppliers operate. Our analysis also incorporates suppliers’ past audit performance, repeated audit nonconformances, and presence of vulnerable workers, including foreign migrant workers, young workers, and student workers in their operations. The results of these assessments inform our due diligence, audit plan, and supplier engagement. Each year, we aim to audit at least 50% of supplier sites deemed high-risk according to this annual risk assessment process.
High-risk
vs.
Low-risk
Our comprehensive supplier auditing program helps suppliers improve alignment to the Code. We have adopted the RBA's VAP for onsite audits. As with the SAQs, using RBA's industry-standard programs and protocols reduces survey and audit fatigue and creates consistent conformance expectations for suppliers across the industry.
RBA trains and approves third-party auditors to conduct audits on site. The RBA sets clear conduct and qualification requirements for the independent third-party audit firms and auditors, as shared in the RBA Auditor Guidebook. Auditors walk through production areas, dormitories, and canteens; interview workers and management; and review policy and procedure documentation.
We aim to audit 100% of our outsourced manufacturing partner sites. During fiscal 2025, we audited2 94% of our manufacturing partner sites. Sometimes, sites are unable to maintain valid audits due to relocation of manufacturing operations. We work with the supplier to determine when they can renew their audit at the earliest possible opportunity when the transition is complete. In fiscal 2025, we also audited more than 50% of component supplier facilities that were deemed high-risk according to our annual risk assessment process.
In fiscal 2025, 179 Cisco supplier facilities conducted an Initial RBA Audit. We estimate these audits covered more than 436,358 workers.3 Working hours and emergency preparedness continue to be the largest percentage of our audit nonconformances. We continue to work with suppliers to drive conformance to our standards and develop long-term improvement plans when necessary.
Visit the Data and Assurance page to review data of our supplier auditing program, including RBA audits and audit findings.
2 According to industry standards, RBA Audits are valid for two years from the date of the Initial audit.
3 The RBA is an industry standard scheme that allows suppliers of multiple customers to demonstrate conformance to a single responsible business conduct standard. Number of workers represents all the workers in the supplier facility, not just those supporting Cisco business.
The map below shows some of the most common audit nonconformances in fiscal 2025,
including nonconformances that are persistent and challenging.
When we receive RBA audit reports, our team records and tracks individual nonconformances from discovery until closure, and suppliers must develop CAPs for individual nonconformances. We typically engage with our suppliers remotely to support implementation of onsite actions. In this process, suppliers are required to identify root causes of the nonconformances and develop CAPs with proposed changes to policies, procedures, worker training, and/or communications. They also propose key performance indicators to measure the effectiveness of their actions. Plans are submitted to Cisco and approved if they meet our requirements. A CAP will be opened for any audit that does not achieve all of the following: RBA Gold Recognition, full conformance with the Code requirements on the Prohibition of Forced Labor and Young Workers, and no other Major nonconformances. In fiscal 2025, Cisco reviewed and approved 100% of these CAPs.
If a CAP does not meet our requirements, we coach suppliers on root cause analysis using best practice frameworks, such as the 5 Whys or fishbone mapping. This work drives lasting positive change by addressing the root cause rather than implementing short-term fixes.
Supplier CAPs must adhere to Cisco deadlines and closure requirements as informed by the RBA VAP Protocol. We consider nonconformances closed after we review evidence confirming that workers have been remediated, communicated to, and/or trained in revised policies and procedures. As needed, we use third-party auditors to conduct closure audits on site, as informed by the RBA VAP Protocol, to validate nonconformances have been adequately addressed.
Supply chain management is routinely informed of suppliers’ performance on these plans and holds suppliers accountable to make progress. When we lack leverage to drive resolution, Cisco collaborates with industry peers to foster collective action. If a supplier fails to make efforts to improve, we may stop awarding new business and, when necessary as a last resort, terminate the relationship.
In fiscal 2025, we achieved a 99% closure rate for Priority and Major nonconformances, excluding working hours and social insurance nonconformances due to their longer resolution times. Nonconformances not closed during the year were primarily a result of awaiting government permits and posed no significant risks to workers or the environment.
Visit the Data and Assurance page for more details on CAPs.
We’ve observed that encouraging suppliers to involve their workers in the corrective action process for health and safety issues can lead to longer-lasting solutions. To address health and safety nonconformances — such as personal protective equipment, chemical safety management, and accessibility infrastructure for workers with disabilities — we require selected sites to actively involve workers during the CAP process. The site is instructed to establish a project team, comprising both worker representatives and management. These teams are responsible for identifying root causes of the issue(s), jointly developing improvement plans, and collaborating to implement these plans alongside relevant internal stakeholders. During this process, the team gathers frontline workers’ perspectives on the underlying causes of the issues and solicits suggestions for improvements — for example, via surveys and interviews — to ensure their health concerns and needs are adequately addressed. The supplier must also ensure that an effective grievance mechanism remains in place after the project is concluded, enabling workers to continue to provide input and share concerns regarding the issue, if needed, and ensuring ongoing monitoring and follow-up. We provide suppliers with guidance and resources, including sample surveys and root cause analysis tools, and set regular meetings with sites to support effective worker engagement.
Through capability building, we aim to train suppliers and site managers in best practices to address social and environmental risks. We continuously develop trainings based on identified supplier needs and trends. In fiscal 2025, we delivered trainings to address the following frequent fiscal 2024 audit nonconformances:
510 attendees from 178 supplier facilities took these trainings. Based on pre- and post-training assessment results, attendees’ awareness improved on average by 14% and as much as 48% on specific topics. We also provided trainings to suppliers on key environmental issues.
To improve working conditions, we also build supplier capabilities through tailored coaching, especially for suppliers undergoing an RBA audit for the first time or those who received a low audit score. To help them build more effective CAPs, we may offer suppliers a CAP kickoff meeting to share best practices and provide guidance on how to address nonconformances.
Visit the Data and Assurance page for more information on our capability building efforts.
Since fiscal 2020, we have required our indirect suppliers to abide by our Supplier Code of Conduct. These are suppliers that do not contribute to the manufacturing of Cisco products, but rather provide goods and services that support Cisco’s operations.
In fiscal 2025, we launched quarterly effectiveness reviews to evaluate both process- and impact-oriented metrics across our due diligence areas. We prioritized these metrics based on the significance of their impact, giving particular consideration to representing the effects on rightsholders and each metric's ability to drive actionable improvements. Our approach reflects a strong commitment to continuous improvement, as we regularly refine our reviews to capture the most meaningful and effective indicators across a spectrum of due diligence areas.
