Skip to Main Content
(Press Enter)
ON THIS PAGE:
Risk assessment Self-assessment and audits
Key audit nonconformances and actions Corrective Action Plans
Capability building Expanding the Supplier Code of Conduct to indirect suppliers

Code of Conduct

The Supplier Code of Conduct captures our expectations of suppliers for labor, health and safety, environment, ethics, and management systems.

Our Cisco Supplier Code of Conduct is a cornerstone of our commitment to the OECD Due Diligence Guidance for Responsible Business Conduct and the UN Guiding Principles (UNGPs) on Business and Human Rights. As a founding member of the Responsible Business Alliance (RBA), Cisco contributed to develop the RBA Code of Conduct and adopted the Code as our own Supplier Code of Conduct. The RBA sets consistent standards to drive social and environmental responsibility across global supply chains and is comprised of electronics, retail, auto, and toy companies. These standards set a baseline from which to catalyze broad systems change. We hold our suppliers—and their suppliers—accountable to the Supplier Code of Conduct and other responsible sourcing policies.

The supplier engagement process is essential to drive improvement within our supply chain and across our industry. We believe it is important to continually evaluate our suppliers and help them improve through leadership, support, and education. The engagement process includes five main phases, described below:

Supplier engagement on Code of Conduct

Infographic detailing our supplier engagement on Code of Conduct

Risk assessment

Each year we evaluate our supply base to prioritize suppliers and sites for onsite RBA audits. This annual assessment includes social and environmental risk factors, inherent risks from operations and production, and exposure to those risks. We rely on indicators to assess vulnerabilities and protections in the geographies where suppliers operate. Examples include:

  • The UN Human Development Index
  • World Bank Governance Indicators
  • Indicators for forced labor and child labor
  • Indicators for environmental health and performance

Our assessment methodology includes criteria for assessing the presence of vulnerable workers such as foreign migrant workers, young workers, and student workers. The inclusion of these factors has helped increase our due diligence focus on protecting vulnerable workers.

We also incorporate suppliers' previous audit performance and repeated nonconformances in our overall methodology. The results of this assessment feed into our due diligence, audits and assessments, and supplier engagement plans.

Risk assessment process

Geographic risk factors

  • Human development and governance indicators
  • Forced labor indicators
  • Environmental
    performance indicators

Supply chain risk

  • Past social and environmental performance
  • Presence of vulnerable workers
  • Unresolved issues and repeat findings

Exposure risk

  • Cisco's strategic relationship with supplier

Self-assessment and audits

We have adopted the RBA's industry-standard Self-Assessment Questionnaires (SAQs) and the Validated Assessment Program (VAP) for onsite audits. Using RBA's industry-standard programs and protocols reduces survey and audit fatigue and gives suppliers consistent conformance expectations.

SAQs engage suppliers to assess their conformance to the RBA Code of Conduct and identify gaps. The assessments give suppliers insight into their own performance and help Cisco develop leading indicators for risks that can be addressed during an audit or other due diligence processes.

Self-assessment questionnaire coverage by supplier type
  FY19 FY20 FY21 FY22 FY23
Manufacturing partners FY19: 100% FY20: 100% FY21: 100% FY22: 100% FY23: 100%
Components suppliers (by spend) FY19: 80% FY20: 80% FY21: 85% FY22: 92% FY23: 98%
Logistics suppliers FY19: 100% FY20: 100% FY21: 65% FY22: 100% FY23: 90%

Our comprehensive supplier auditing program helps suppliers build capability and improve their performance. Third-party auditors trained and certified in social and environmental auditing and RBA's VAP protocols conduct audits on site. Auditors walk through production areas, dormitories, and canteens; interview workers and management; and review policy and procedure documentation. More information about VAP standard protocols can be found on the RBA website.

We require regular audits of manufacturing partners every two years. In fiscal 2023, we audited at least 50 percent of component supplier facilities that were deemed high risk according to our annual risk assessment process.

RBA Initial Audits1 conducted by supplier type
  FY19 FY20 FY21 FY22 FY23
Manufacturing partner facilities FY19: 8 FY20: 6 FY21: 16 FY22: 12 FY23: 13
Component supplier facilities FY19: 67 FY20: 60 FY21: 78 FY22: 107 FY23: 154
Logistics service provider facilities FY19:   FY20:   FY21:   FY22: 2 FY23: 2
Total FY19: 75 FY20: 66 FY21: 94 FY22: 121 FY23: 169

1 Initial Audits cover the full scope of the RBA Code as opposed to "Closure" audits which address nonconformances identified in an Initial Audit.

In fiscal 2023, 169 Cisco supplier facilities conducted RBA Initial Audits. We estimate these audits covered more than 446,000 workers. Working hours and emergency preparedness remained the largest portion of our audit nonconformances. We continue to work with suppliers to drive conformance to our standards and develop long-term improvement plans when necessary.

Number of workers covered by RBA Audits in FY232
  Male Female Total Foreign migrant workers
Manufacturing partners Male: 25,850 Female: 29,039 Total: 54,889 Foreign migrant workers: 5,185
Components suppliers Male: 190,861 Female: 200,231 Total: 391,092 Foreign migrant workers: 15,673
Logistics suppliers Male: 498 Female: 203 Total: 701 Foreign migrant workers: 68
Grand total Male: 217,209 Female: 229,473 Total: 446,682 Foreign migrant workers: 20,926

2 The RBA is an industry standard scheme which allows suppliers of multiple customers to demonstrate conformance to a single responsible business conduct standard. Number of workers represent the total supply chain workers in the entire supplier facility audited.

Key audit nonconformances and actions taken across the globe

Here are some of the most common audit nonconformances in fiscal 2023, including nonconformances that are persistent and challenging.

click on the sections for more info

Working Hours and Days of Rest

  • China
  • Germany
  • India
  • Indonesia
  • Malaysia
  • Malta
  • Mexico
  • Netherlands
  • Philippines
  • South Korea
  • Taiwan
  • Thailand
  • USA
  • Vietnam

Finding

  • Hours worked in a workweek exceed 60 hours
  • Workers do not receive at least one day off every seven days
  • Overtime exceeds local law

Action plan

  • Recruit more workers, improve process automation, establish limits and procedures for approving overtime, and internally monitor working hours
  • Arrange productions plan to align with shift planning processes
  • Accelerate cross-training of workers
  • Improve customer demand forecasts to inform human resource needs

Context

  • Some local labor laws have stricter overtime requirements than the RBA code. In addition, pandemic impacts, material shortages, and labor shortages contribute to more overtime.

Emergency preparedness (fire safety permits and emergency exit doors)

  • China
  • Germany
  • India
  • Japan
  • Malaysia
  • Mexico
  • Netherlands
  • Philippines
  • South Korea
  • Taiwan
  • USA
  • Vietnam
Finding
  • Exit discharge and exit route doors do not meet legal/RBA requirements, such as missing emergency exits, blocked exits and evacuation routes, and improper fire doors
  • Missing or inappropriate emergency exit lighting, directional signs
Action plan
  • Identify, procure, and install enough exits and fire emergency doors, signs, and lights as required
  • Develop and implement procedures for routine inspections and monitoring
  • Update and train workers on new emergency procedures and train people on RBA requirements
Context
  • In some cases, suppliers have the inappropriate type of doors or lighting installed for adequate emergency evacuation.

Wages and Benefits

  • China
  • India
  • Netherlands
  • Philippines
  • Vietnam

Finding

  • Workers receive social insurance and a housing fund, but deductions are not calculated according to legal requirements
  • Workers are not covered by housing fund

Action plan

  • Enroll workers into social insurance and housing fund programs
  • Support alignment of wage deductions for social insurance and housing fund programs are calculated aligned with local laws
  • Communicate social insurance and housing fund information and legal requirements to workers
  • Work to improve compliance with local law in balance with the desires of workers

Context

  • Chinese social insurance and housing fund standards vary across provinces. Workers, especially domestic migrant workers, cannot always access social insurance funds. Some opt out of certain insurance deductions from their paychecks. When this is out of compliance with local law, it is a finding in an RBA audit.

Occupational safety (health & safety permits and pregnant women & nursing mothers)

  • China
  • India
  • Indonesia
  • Mexico
  • Netherlands
  • Philippines
  • Taiwan
Finding
  • Legal permits, licenses, and testing reports not available or not renewed on time
  • No or inadequate risk assessment, policy, or procedures to protect pregnant women and nursing mothers
  • No accommodation for nursing mothers
Action plan
  • Update policies for pregnant workers and nursing mothers
  • Conduct risk assessment for pregnant workers and nursing mothers
  • Train employees on RBA/legal requirements for pregnant workers and nursing mothers
  • Communicate policy and procedure changes to managers and workforce
  • Provide accommodations, e.g., a safe, private space for nursing mothers
Context
  • Factories often ignore this requirement, as they seldom have pregnant women onsite. Many do not understand how to do risk assessments for these workers.

Freely Chosen Employment

  • China
  • Czech Republic
  • Japan
  • Malaysia
  • Netherlands
  • Philippines
  • Taiwan

Finding

  • Workers pay fees that should be paid by the employer (e.g., health check fees, recruitment fees, passport fees)
  • Workers pay fees during the recruitment process and then employers reimburse workers after they commence employment

Action plan

  • Stop fees from being charged to workers and repay any fees found to have been paid by workers per RBA requirements
  • Establish Employer Pays Policy and communicate this to the workers and labor agency

Context

  • Some employers interpret an "Employer Pays Policy" as allowing workers to be reimbursed instead of employer covering recruitment-related fees up front.
Review Cisco RBA audit nonconformance results here

Corrective Action Plans

When we receive RBA audit reports, individual nonconformances are recorded and tracked through various phases from discovery until closure. Suppliers must develop Corrective Action Plans (CAPs) for individual nonconformances. In this process, suppliers identify the root cause for the nonconformance and develop an action plan with proposed changes to policies, procedures, worker training, or communications. They also propose key performance indicators to measure the effectiveness of their actions. Plans are submitted to Cisco and approved if they meet our requirements.

If a CAP does not meet our requirements, we coach suppliers in root cause analysis using best practice frameworks, such as the 5 Whys or Fish-Bone mapping. This work drives lasting positive change by addressing the root cause rather than implementing short-term fixes.

Supplier CAPs must adhere to Cisco deadlines informed by the RBA VAP Protocol. Suppliers must close nonconformances according to Cisco's policies, depending on the severity of the nonconformance. We consider nonconformances closed after we review evidence confirming that workers have been remediated, communicated to, and/or trained on revised policies and procedures. As needed, we use third-party auditors to conduct closure audits on site, as informed by the RBA VAP protocol.

In fiscal 2023, our closure rate of priority and major nonconformances was 99 percent, excluding nonconformances for working hours and social insurance. We do not include working hours and social insurance nonconformances when calculating closure rates, as they can take longer to implement than RBA's recommended closure guidelines. Of the nonconformances that were not closed during the year, most were due to specific permits awaiting government approval and related activities that did not pose particular risks to workers or the environment.

Capability building

Training and building the capabilities of our suppliers is necessary to make lasting improvements to working conditions. Some suppliers require more coaching and monitoring than others. This depends on the maturity of their programs and the complexity or severity of issues discovered in audits.

For suppliers undergoing the RBA audit for the first time, or that received a low audit score, we conduct a CAP kickoff meeting to comprehensively review nonconformances and provide in-depth coaching on how to improve. Cisco may coach suppliers and share best practices or assign e-learning courses delivered through RBA's e-Learning Academy according to their audit nonconformances. These courses help them gain an understanding of requirements and build more effective CAPs.

Our goal is to proactively train suppliers on best practices. For fiscal 2023, Cisco delivered the following trainings to address the most frequent issues identified in fiscal 2022 audits, as well as to support overall RBA requirements:

  • Newly onboarded RBA code supplier training: This training focused on helping newly onboarded suppliers understand general RBA Code requirements, including elevating the top issues Cisco sees in RBA audits. In addition, the training offered newly onboarded suppliers an overview of best practices on how to address common issues, including fees passed on to workers, and Cisco's expectations on supplier evaluation risk performance. More than 16 attendees from at least 13 sites attended this session.
  • Health and safety risk assessment and management training: This training highlighted the latest RBA requirements on health and safety risk assessments. The training also shared emerging best practices on how to assess and control for risks identified. It highlighted common workplace health and safety hazards and actions to protect workers from exposure. A total of 137 attendees from more than 48 sites joined this session.
  • Industrial hygiene training: This event trained Cisco suppliers on the latest RBA code requirements on industrial hygiene and provided a preview of what will be changed in the updated version of the code. There were 58 attendees from more than 36 sites that attended this training.

We continue developing trainings based on suppliers' needs and trends that we identify throughout the year.

Expanding the Supplier Code of Conduct to indirect suppliers

We have taken steps to expand the application of our Supplier Code of Conduct to our indirect supply chain, or suppliers that provide goods and services not directly related to the manufacturing of Cisco products. Since fiscal 2020, we have required indirect suppliers to abide by the code.

During fiscal 2023, Cisco conducted a risk assessment on our global preferred suppliers within indirect procurement. The global preferred suppliers were prioritized based on their strategic relationships to Cisco and included more than 80 percent of Cisco’s indirect spend. The process assessed specific spend categories against the potential for human rights impacts and risks to worker wellbeing. To identify high-risk suppliers, Cisco leveraged existing risk management data, including data obtained during the supplier onboarding process, open ethics cases, denied parties list, and geographic supply chain risk considerations. The result of the risk assessment was a total of 15 suppliers in six countries that required further investigation. To understand the potential risks at these supplier sites, Cisco leveraged the RBA Indirect Spend SAQ. This questionnaire, which Cisco was involved in developing, was created to help companies better understand the unique risks posed by indirect suppliers. The RBA provides a risk rating for submitted SAQs to help companies determine appropriate actions to address identified risks.

Indirect SAQs submitted to date have been deemed “low risk.” Using the findings from this process, Cisco compiled key best practices to inform our procedures moving forward. Cisco continues conducting due diligence to better understand risks facing our indirect supply chain and prepare those suppliers to mitigate risks in their own operations.

Cisco continues to participate in the RBA Working Group on Indirect Supply Chains. This group focuses on understanding key human rights, environmental and ethical risks associated with indirect spend suppliers, and developing special tools to assess, remedy, and prevent future risks. Collaborating with industry peers and the RBA has allowed us to adapt tools and processes to the indirect procurement space while collectively learning and addressing unique challenges related to service procurement.

Supplier engagement on Code of Conduct

  1. Supplier onboarding: New suppliers are assessed to identify potential social and environmental risks within their operations.

    After suppliers are fully onboarded to provide products to Cisco, they become part of our regular supplier engagement process.

  2. Risk assessment: We evaluate suppliers based on social and environmental risk factors and Cisco's exposure to those risks from operations and production.
  3. Self assessment and audits: We require suppliers to complete RBA Self-Assessment Questionnaires, and audit high-risk suppliers using RBA's Validated Assessment Program (VAP) to assess their conformance to our Code of Conduct.
  4. Corrective action plans (CAPs): If nonconformances are found, we review and approve supplier CAPs and monitor their progress toward closure.
    • Suppliers produce CAPs and evidence that they have implemented their plans.
    • Suppliers must address or downgrade priority issues within days and other findings within 180 days.
    • For issues such as the monitoring of working hours, suppliers provide longterm improvement plans.
    • Cisco works closely with suppliers until performance improves and to validate finding closure.
  5. Capability building: We offer training to help suppliers better align with our values and to drive continuous improvement. For example, we provide guidance and support factories where practicable to engage workers on use of personal protective equipment.