© 2006 Cisco Systems, Inc. All rights reserved. 1Cisco Public

Enterprise Risk Management at Cisco

NC State UniversityRob RolfsenDirector, Global Risk ManagementMarch 23, 2007

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 2

Agenda

Growing Importance of ERMCisco’s ERM ProgramOur ERM ProcessFY07 Plans Success Story

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 3

The Growing Influence of Risk Management

9%

35% 56%

Preparing/ Developing/ Implementing

Positively disposed

Have rejected

A majority of companies are choosing ERM……and ERM is seen as an increasingly important responsibility

50%

46%

39%

29%

30%

38%

29%

36%

19%

16%

32%

35%

Internalaudit

CFO

CEO

Board

Very high Significant Somewhat or lessDegree of Importance

Conference Board/Mercer Oliver Wyman survey

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 4

Primary Drivers for Implementing ERM*

Rank Driver Percent

1 Corporate governance requirements 66%

2 Greater understanding of strategic and operating risks 60

3 Regulatory pressures 53

4 Board request 51

5 Competitive advantage 41

* Multiple answers allowed

Conference Board/Mercer Oliver Wyman survey

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 5

Highest Priority ERM Objectives*

Ensure risk issues are explicitly considered in decision making 44%

Avoid surprises and “predictable” failures 40

Align risk exposures and mitigation programs 24

Institute more rigorous risk measurement 19

Integrate ERM into other corporate practices like strategic planning 17

* Multiple answers allowed

Conference Board/Mercer Oliver Wyman survey

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 6

At Most Companies, ERM is Still a Work in Progress

ERM efforts are still in their infancy at many companies and face many constraints

Depending on the company, it takes three to five years to fully integrate and operationalize advanced risk practices

The cost of developing and building an ERM framework is not insubstantial

Many firms consider specific risks within certain business units, but they rarely examine risk strategies at the company-wide level

Conference Board/Mercer Oliver Wyman survey

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 7

Cisco’s ERM Organization• Led by Chris Kite, VP, Global Risk Management/Workplace Resources• Dotted line reporting into the Board of Directors • Virtual Multi-disciplined global team• Corporate Executive Sponsors

• Randy Pond – COO• Dennis Powell - CFO

• Meet Regularly with Executive Sponsors and Risk Review Group • RRG = ICS, IT, Finance, HR & Supply Chain

• Report Quarterly to Audit Committee and Investment Committee

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 8

ERM at Cisco

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 9

Enterprise Risk Management

“How Do I take more Intelligent Risks ?”

Disciplined Decision Making Risk TimingBusiness & Technology InnovationIncreased Shareholder ValueIndustry Leadership

“How Do I take more Intelligent Risks ?”

Disciplined Decision Making Risk TimingBusiness & Technology InnovationIncreased Shareholder ValueIndustry Leadership

“Is my current Risk level in control?”

Business Risk MonitoringRisk ResponsivenessTolerance

–Controllable Risks–Non-Controllable Risks

“Is my current Risk level in control?”

Business Risk MonitoringRisk ResponsivenessTolerance

–Controllable Risks–Non-Controllable Risks

“How Do I Reduce Business Risk?”

Risk AnalysisRisk AssessmentBusiness Continuity PlanningBusiness Resilience

“How Do I Reduce Business Risk?”

Risk AnalysisRisk AssessmentBusiness Continuity PlanningBusiness Resilience

OPTIMIZE GROWPROTECT

ERM

Corporate Strategy

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 10

Cisco’s Integrated ERM Framework

Integrate ERM in Corporate Compliance and Governance Activities

Integrate key risk processes and systems Understand Cisco’s risk appetiteSustain a risk-based approach to improving and managing Corporate compliance and governanceUse Risk Review Group to increase multi-disciplinary risk education, awareness and information sharing

Internal Controls Internal Controls (ICS)(ICS)

SarbanesSarbanesOxley Oxley (SOX) (SOX)

Risk Risk ManagementManagement

(RM) (RM)

Finance Planning Finance Planning and Analysisand Analysis

(FP&A) (FP&A)

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 11

Cisco’s ERM ProcessDetermine priorities for ERM via Risk Review Group and Board

Identify Executive Sponsor in area to be assessed

Interview key executives in multiple functional areas re: their perceptions of key risks facing the company and their quantification of the probability, severity and current management effectiveness at managing the risk – the discussion is the most important aspect

Consolidate interview results, identify key risks and report back to Executive Sponsor and collect feedback

Share final report with Corporate Executive Sponsors and Audit Committee

Facilitate discussions/workshops with risk owners wrt decisions re: identified key risks

Track progress via Ops Reviews, Risk Review Group, Internal Audit Schedule and integrate with business planning

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 12

Assessment Criteria: Probability, Severity and Management Effectiveness

Probability Severity - Annual Impact to Cisco Profitability

1.00 Remote 1.00 <$35M or Insignificant

2.00 Possible 2.00 $35M - $150M or Minimal

3.00 Probable 3.00 $150M - $1B or Significant

4.00 Almost Certain 4.00 > $1B or Catastrophic

Management Effectiveness

4.00 Assessment completed. Mitigation is in place. Reporting and Monitoring in place.

3.00 Assessment completed. Mitigation is in place. Reporting and Monitoring not in place.

2.00 Assessment completed. Mitigation is not place. Reporting and Monitoring not in place.

1.00 Assessment not completed. Mitigation not in place. Reporting and Monitoring not in place.

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 13

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

Cash Flow•

Collateral•

Commodities•

Concentration•

Counterparty•

Credit•

Default•

Equity•

Financial Instruments•

Foreign Exchange•

Interest Rate•

Liquidity•

Modeling•

Opportunity Cost

Brand/Reputation

Business Model

Business Portfolio

Delivery Channels

Intellectual Property

Marketplace

Organization Structure

Planning

Product Life Cycle

Resource Allocation

Social Responsibility

• Capital Availability • Disease • Industry • Regulatory • Technological Innovation

• Competitor • Economy • Legal • Shareholder Relations • Terrorism

• Customer Needs • Financial Markets • Natural Hazard/Catastrophe • Sovereign/Political

•Capital Availability • Disease • Industry • Regulatory • Technological Innovation• Competitor • Economy • Legal • Shareholder Relations • Terrorism• Customer Needs • Financial Markets • Natural Hazard/Catastrophe • Sovereign/Political

StrategicStrategic OperationalOperational FinancialFinancial

Process

Alignment Business InterruptionCapacity Change ResponseCompliance Contract CommitmentCustomer SatisfactionCycle Time

Accounting Information Budgeting & Forecasting Completeness/Accuracy Investment EvaluationPension Fund Regulatory ReportingTaxation Sarbanes Oxley

Conflict of InterestEmployee FraudEthical Decision Making Illegal ActsManagement FraudThird-Party FraudUnauthorized Acts

Access AvailabilityCapacityData Integritye-CommerceInfrastructureRelevanceReliability

Business Risk Inventory

•Performance Gap•Physical Security•Product Development•

Product Liability•

Product/Service Failure•

Product/Service Pricing

AccountabilityChange ReadinessCommunications Competencies/SkillsEmpowermentHiring/RetentionLeadershipOutsourcingPerformance IncentivesSuccession PlanningTraining/Development

\Turnbull 030117vb.ppt

Relationship Mgmt Strategy ImplementationSourcingSupply ChainTransactionProcessing

EfficiencyEnvironmentalHealth & SafetyKnowledge ManagementMeasurementPartnering

INTERNAL RISKSINTERNAL RISKS

EXTERNAL RISKSEXTERNAL RISKS

Human Capital Integrity TechnologyManagement Information

INDUSTRY-

SPECIFIC RISKS

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 14

FY07 ERM ObjectivesEnhance understanding of risks affecting theatres & subsidiaries & the drivers of those risks

Raise the level of ERM awareness & education within Cisco & externally

Integrate risk management with existing processes – investment management, strategic planning & business development

Continue to integrate risk management with line management processes

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 15

ERM Success StoryERM group invited to participate in workshops with the Emerging Markets Group to help executives understand the risks the company faced.Emerging Markets (EM) sales team asked ERM to help build risk into its decision-making models. As part of the overall go-to-market strategy, an Emerging Countries Council was put in place to govern doing business in these developing countries. Risk, specifically safety and security and ethics risks are quantified and discussed as part of the overall decision making process. Developed ten key quantifiable variables to help drive a more risk-informed decision-making process.

Macroeconomic – credit, interest rates, foreign exchange, Political and Ethical – fraud and competitor, expropriationOperational – regulatory, complexity, health & safetyStrategic – early mover advantage, marketplace (partners), brand reputation/IP

The ultimate goal is to be able to allocate resources more effectively and to answer the question of in which countries should the company be devoting which resources.

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 16

Emerging Markets Risk Analysis

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 17