Skip to main content
Skip to main navigation
A A A Text size
Experian plc

Internal Controls and Risk Management

The Experian plc Board is responsible for the Group's system of internal control and for reviewing its effectiveness. Such a system is designed to manage rather than eliminate the risk of failure to achieve business objectives and can provide reasonable, but not absolute, assurance against material misstatement or loss.

There is an ongoing process for identifying, evaluating and managing the significant risks faced by the Group including those risks relating to social, ethical and environmental matters.

The Audit Committee keeps under review the effectiveness of systems of internal control and reports regularly to the Board. The Board reviews annually the effectiveness of the key procedures that have been established to provide internal control.

The key procedures are as follows:

Risk assessment

  • The Group sets out its objectives clearly as part of its planning process. These objectives are incorporated as part of the planning cycle and are supported by the use of both financial and non-financial key performance indicators.
  • Risks are methodically anticipated, identified, assessed and appropriately mitigated as part of an enterprise-wide risk management process headed by an executive risk management committee (ERMC), supported by regional risk management committees (RRMC).
  • The ERMC has responsibility for oversight of the Group’s risk management process and monitors and evaluates the Group’s global risk profile. Responsibility for evaluation and mitigation of regional risk falls to the RRMC, to which Experian’s business units submit reports on a quarterly basis, detailing identified risks, associated mitigation strategies and the status of implemented action steps.
  • Senior management makes presentations on risk to the Audit Committee, which reports regularly to the Board on the risks facing the Group’s businesses.
  • The Audit Committee has delegated responsibility from the Board for reviewing the effectiveness of the Group’s internal controls and receives an annual report on the controls over these risks. This includes risks arising from social, ethical and environmental matters.
  • The Group has in place a number of strategic project committees, whose reviews are considered an essential part of the delegated authorities process. These committees have established processes, which include risk assessment as an integral component.
  • The Group has in place a full-time Global Enterprise Risk Manager.

Control environment and control activities

  • The Group has established procedures and detailed matrices for delegated authority, which ensure that decisions that are significant, either because of their value or the inherent degree of risk, are taken at an appropriate level.
  • The Group has implemented appropriate strategies to deal with each significant risk that has been identified. These strategies include internal controls, insurance and specialised treasury instruments.
  • The Group sets out principles, policies and standards to be adhered to throughout its business. These include risk identification, management and reporting standards, ethical principles and practice, accounting policy, treasury policy, information security policy and policy on fraud and whistleblowing.

Information and communication

  • The Group has a comprehensive system of budgetary control, including monthly performance reviews for each major business. These reviews are at a detailed level within each region and at a high level for the Board.
  • On a monthly basis, the achievement of business objectives, both financial and non-financial, is assessed using a range of performance indicators. These indicators are reviewed to ensure that they remain relevant and reliable.
  • The Group has whistleblowing procedures for employees to report suspected improprieties.

Monitoring

  • A range of procedures is used to monitor the effective application of internal control in the Group, including management assurance, through the ongoing risk management process, and independent assurance, through internal audit reviews and review by specialist third parties.
  • The internal audit department's responsibilities include reporting to the Audit Committee on the effectiveness of internal control systems, focusing on those areas considered to be of greatest risk to the Group.
  • Follow-up processes are used to ensure appropriate response to changes and developments in risks and the control environment.