Cornerstone and center of our actions

* Group-wide regulatory framework for assigning roles, responsibilities and control functions within the GRC management system.

We at RUAG base our relationships with the owner as well as with our customers and partners on trust, integrity, and mutual respect. The Board of Directors and the Executive Board are committed to ensuring that we always conduct ourselves in accordance with our values, the applicable regulations and internal directives. Any neglect or violation of these principles for the benefit of commercial success is contradictory to our
corporate culture. RUAG promotes this awareness and is focusing on the areas of risk management, compliance, information security as well as health, safety, security and environment (HSSE).

Risk management comprises the consistent handling of risks in order to support the achievement of objectives, the fulfillment of tasks and the management of the company by providing comprehensive, transparent and up-to-date risk information. The goal is to improve the predictability of events and strengthen our stakeholders’ trust.

Compliance management encompasses activities to ensure regulatory compliance within the company. Mandatory standards as well as targeted measures, structures and processes shall ensure ethical and compliant behavior. The RUAG code of conduct offers the basis and guidelines for our conduct in this respect. Information and IT security management form the basis for efficiently and effectively implementing the comprehensive security strategy. Information security is designed to support our business goals and to protect our information and our critical infrastructure, as well as that of our customers, in relation to confidentiality, integrity and availability. Health, safety, security and environment (HSSE) includes activities related to safety at work and employee health protection as well as to safety, security and environmental protection.

After the Group directive “GRC management system” was passed at the end of 2021, it was implemented step by step during the 2022 business year. Notably, this included the establishment of the GRC organization according to the three-lines-of-defense model and the assignment of the defined responsibilities in the operating units (1st line of defense). Moreover, the GRC reporting system, which was standardized as part of the GRC management system, was implemented. Thanks to the GRC reporting, the Executive Board, the Audit & Risk Management Committee and the Board of Directors are informed about the Group-wide risk situation and the ongoing activities in the individual GRC areas on a quarterly basis. Furthermore, the newly constituted GRC Boards were established on the corresponding management levels with the defined form of reporting. The GRC Boards act as links between the Board of Directors or Audit & Risk Management Committee and the operational business areas. In the GRC area of health, safety, security and environment (HSSE), the creation of the new Group directive “Safety, Security & Environment” was one of the focal points. Key measures to further increase the maturity and the benefits of the GRC management system have been initiated in all GRC areas. This includes, among other things, the implementation of appropriate measures to ensure compliance with the new Swiss Data Protection Act as well as the establishment and the implementation of IT service continuity management (ITSCM) as part of the overarching business continuity management (BCM). In the past year, once again, numerous training and awareness initiatives were implemented in all GRC areas. For example, we rolled out an e-learning module on data protection across the Group, conducted information security trainings and carried out phishing campaigns again.