Skip to main content

Cornerstone and center of our actions

The Governance, Risk and Compliance (GRC) management system forms the cornerstone and center of our actions. The organization of the GRC management system and the associated activities and responsibilities are based on the Three-Lines-of-Defense model*.

We at RUAG base our relationships with the owner as well as with our customers and partners on trust, integrity, and mutual respect. The  Board of Directors and the Executive Board are committed to ensuring that we always conduct ourselves in accordance with our values, the  applicable regulations and internal directives. Any neglect or violation of these principles for the benefit of commercial success is  contradictory to our corporate culture. RUAG aims to promote awareness of this and is focusing on the areas of risk management,  compliance, and information security.

Risk management comprises the consistent handling of risks in order to support the achievement of objectives, the fulfillment of tasks and  the management of the company by providing comprehensive, transparent and up-to-date risk information. The goal is to improve the  predictability of events and strengthen our stakeholders’ trust. Compliance management encompasses coordinated activities to ensure regulatory compliance within the company. Mandatory standards as well as targeted measures, structures and processes shall  ensure ethical and compliant behavior. The RUAG Code of Conduct offers the basis and guidelines for our conduct in this respect. Information  and IT security management forms the basis for an efficient and effective implementation of the comprehensive security strategy. Information security is designed to support our business goals and to protect our information and our critical infrastructure, as well  as that of our customers, in relation to confidentiality, integrity and availability.

Based on the initial conceptual elements drawn up in 2020, it has been possible to substantially develop and improve the RUAG GRC and risk  management systems during the year under review. The core elements which were developed included the creation of the GRC/risk  organization and Group directives for the GRC management system, the risk management system and the information security management 
system, the definition of a risk management policy as well as the development of a standardized GRC reporting system. For the expansion  and formalization of the control activities in the areas of risk management, compliance management and information security, a web-based  “GRC control management” system has been implemented. In all areas of GRC, training has been given on the new or changed requirements. In addition, all RUAG employees have completed e-learning modules on the subject of integral security, in accordance with DDPS requirements, as well as modules on three further key topics relating to information security.


Group-wide regulatory framework for assigning roles, responsibilities and control functions within the GRC management system.