Identifying and managing risk is key to our business. Doing so helps us deliver long-term shareholder value and protect our business, people, assets, capital and reputation.

---

---

Our risk profile

Our risk identification processes follow a dual approach:

• A bottom-up approach at a business unit or country level. This identifies the risks that threaten an individual business unit activity. To provide visibility of issues across the business, we consolidate these risks at a regional and global level, then escalate to the Risk Management Committees.
• A top-down approach at the global level. This identifies the principal risks that threaten the delivery of our strategy (see below). The diagram on this page summarises our principal risk profile and trends in the threat levels (on a net/residual risk basis) since the last reporting period. Compared to last year, the principal risks remain the same.

Our strategic focus areas

1 Make credit and lending simpler, faster and safer for consumers and businesses

2 Empower consumers to improve their financial lives

3 Help businesses verify identity and combat fraud

4 Help organisations in specialised verticals harness data, analytics and software to make smarter decisions

5 Enable businesses to find, understand and connect with audiences

Risk appetite

The Board sets our overarching risk appetite for principal risks across our risk categories that we face in the normal course of business. We assess the level of risk against the risk appetite to ensure we focus our efforts appropriately. We target risks for assessment based on gross risk and measure them based on net risk using a risk and control assessment methodology. We then prioritise them for mitigation. The Board and Audit Committee review the principal risks on an ongoing basis, as does the ERMC. We use a variety of information sources to show if we are working within our tolerance for these risks and whether or not any of them require additional executive attention.

Our risk culture

The Board is committed to maintaining a culture that emphasises the importance of managing risk and encourages transparent and timely risk reporting. We work to align employees’ behaviours, attitudes and incentives with our risk appetite and with our risk management and other governance policies. Our risk governance process reinforces and facilitates appropriate ownership, accountability, escalation and management of our principal risks. This process includes: well-defined roles and responsibilities across our Three Lines of Defence model; assigning accountability for risk-taking when making key business decisions; documenting clear boundaries and behavioural expectations in policies and standards; and creating an environment that reinforces adherence and accountability. Our governance structure is designed to be agile in both managing existing risks and reacting to any newly identified risks. Material risks are discussed in one or more of our governance forums, and ad-hoc meetings are held when needed, to quickly assess and determine appropriate risk responses.

Current areas of focus

Our risk landscape continues to change as both business and regulatory environments evolve.

We continue to make good progress in becoming more proactive in the identification and management of our principal risks through a combination of best-in-class risk practices, greater engagement across the Three Lines of Defence and increased use of data and analytics. We continuously review our risk-related policies to ensure they are in line with current risk management expectations.

We completed an external review of our operational risk management programme. While there were no material gaps identified in terms of the areas of focus, we have undertaken a transformational project related to the overall programme to implement the consultant’s recommendations. We expect to make substantial progress on these recommendations through FY23.

In addition to known principal risks, we continue to identify and analyse emerging ones, and discuss these, as appropriate, in different forums, including the ERMC and Audit Committee.

Some of the emerging risks we are currently considering include:

• ESG matters: the Group continues to focus on various ESG aspects. We are committed to becoming carbon neutral in our own operations by 2030¹. The TCFD statement in last year’s report (see Annual Report 2021 page 53) already covered most of the required TCFD disclosure. This year, the TCFD statement has been updated to reflect the scenario analysis performed across the Group (see page 64), and our disclosure fully aligns to the recommendations of the TCFD framework. We continue to make progress in social innovation and financial inclusion. We also formalised Experian's Data Principles, which embody our values as they relate to data, and provide a guidepost for how we manage and use data, build products and conduct our business.
• Pandemic response: The COVID-19 pandemic, including successive variants, continues to pose threats to safety, business operations and the broader economy in several countries globally. Experian has handled the impacts of COVID-19 successfully so far, but we continue to pay close attention to developments related to the pandemic and make adjustments, where appropriate, to the way we work as an organisation.
• Bots/Artificial Intelligence: As more automation is employed to perform operational tasks and there is increasing interconnectedness, strong governance is required to ensure that risks (such as security, change management, single person dependency, completeness/accuracy of data) are appropriately managed. In some regions, regulators are prescribing constraining governance which may impact the ease of using these technologies for certain activities. We are also monitoring emerging regulation of Artificial Intelligence for impact on historical credit scoring algorithms.

Principal risks

The following pages summarise our principal risks and uncertainties with mitigating actions for each, and related trends in the risk environment, as identified by the Board for the year ended 31 March 2022.

The list is not exhaustive and may change during the next financial year, as the risk landscape evolves.

While COVID-19 has not impacted our principal risks materially, we continue to remain focused on the health, safety and well-being of our employees, clients and consumers .

In order to assess our Group’s viability, the directors focused on three principal risks that are critical to our success. These are summarised below and discussed in more detail in the Viability assessment section following the description of our principal risks.

• Loss or inappropriate use of data or systems leading to serious reputational and brand damage, legal penalties and class action litigation.
• Adverse and unpredictable financial markets or fiscal developments in one of our major countries of operation, resulting in significant economic deterioration, currency weakness or restriction.
• New legislation or changes in regulatory enforcement, changing how we operate our business.

---

Loss or inappropriate use of data and systems

We hold and manage sensitive consumer information that increases our exposure and susceptibility to cyber attacks or other unauthorised access to data, either directly through our online systems or indirectly through our partners or third-party contractors.

This risk is considered in the viability assessment.

Potential impact

Unauthorised access to consumer data could cause problems for consumers and result in material loss of business, substantial legal liability, regulatory enforcement actions and/or significant harm to our reputation. The impact of this risk, if it materialises, will typically be felt in the near term.

Examples of control mitigation

• We deploy physical and technological security measures, combined with monitoring and alerting for suspicious activities.
• We maintain an information security programme with strong governance for identifying, protecting against, detecting and responding to cyber security risks and recovering from cyber security incidents.
• We impose contractual security requirements on our partners and other third parties that use our data, complemented by periodic reviews of third-party controls.
• We maintain insurance coverage, where feasible and appropriate.

Responsibility

Our Global Security Office sets policies and standards related to the information security programme. Every employee is ultimately responsible for following security policies and protocols.

Changes this year

External cyber security threats to businesses continue to increase in number and scale. We also continue to see an increase in fraudulent activity seeking access to data.

Our security programme continues to improve its maturity relative to industry frameworks and we have further enhanced our protection, detection and response capabilities by strengthening security policies, practices and training. We also ensure that we apply them consistently across our regions and business units. We will continue investing in the tools, people, resources and initiatives necessary to maintain and improve our global information security programme.

Our Chief Information Security Officer has retired this year and his successor has started in the role.

---

Adverse and unpredictable financial markets or fiscal developments

We operate globally and our results could be affected by global, regional or national changes in fiscal or monetary policies.

A substantial change in credit markets in the USA, Brazil or the UK could reduce our financial performance and growth potential in those countries.

We present our Group financial statements in US dollars. However, we transact business in a number of currencies. Changes in other currencies relative to the US dollar affect our financial results.

A substantial rise in US, EU or UK interest rates could increase our future cost of borrowings.

We are subject to complex and evolving tax laws and interpretations, which may change significantly. These changes may increase our effective tax rates in the future. Uncertainty about the application of these laws may also result in different outcomes from the amounts we provide for.

We have a number of outstanding tax matters and resolving them could have a substantial impact on our financial statements, cash and reputation.

This risk is considered in the viability assessment.

Potential impact

The US, Brazil and UK markets are significant contributors to our revenue.

A reduction in one or more of these consumer and business credit services markets could reduce our revenue and profit.

We benefit from the strengthening of currencies relative to the US dollar and are adversely affected by currencies weakening relative to it.

We have outstanding debt denominated principally in euros, pounds sterling and US dollars. As this debt matures, we may need to replace it with borrowings at higher interest rates.

Our earnings could be reduced and tax payments increased as a result of settling historical tax positions or increases in tax rates.

Adverse publicity around tax could damage our reputation.

The impact of this risk, if it materialises, will typically be felt in the short to long term.

Examples of control mitigation

• We have a diverse portfolio by geography, product, sector and client. We provide counter-cyclical products and services.
• We convert cash balances in foreign currencies into US dollars.
• We fix the interest rates on a proportion of our borrowings.
• We retain internal and external tax professionals, who regularly monitor developments in international tax and assess the impact of changes and differing outcomes.
• We review contingency plans in our key markets as to specific potential responses to evolving financial conditions.

Responsibility

Our corporate and business unit finance functions monitor our external landscape, and interface with business units to develop and implement appropriate actions.

Changes this year

We continue to analyse the impact of potential economic downturn and associated actions, particularly in our key markets. Some of the underlying risk vectors are improving, while others have future uncertainty associated with them, as detailed below and so this will continue to remain an area of focus.

During the year, the global economy saw a strong rebound, with the Gross Domestic Product (GDP) in our main markets expected to grow 6.9%, following a 4.3% recession in FY21 (Oxford Economics, February 2022). The GDP in our main markets is expected to grow 2.8% in FY23, following successive reductions in recent months. Factors such as the impact of inflation on our base payroll cost and technology spend as well as other issues such as supply chain pressures can also lead to higher operating costs. The impact of the Russian invasion of Ukraine is being closely monitored by a working group. We continue to perform analyses to understand the impact of changes in economic conditions on Group revenues and have considered different economic scenarios in our viability assessment.

The Group of twenty (G20) countries has now endorsed the two-pillar approach to the reform of international taxation. These are that the largest and most profitable global companies pay corporate taxes in their largest customer markets, and that there is a global minimum corporate tax of 15%.

In the USA, tax reform proposals continue to be discussed, including changes to the corporate federal income tax rate. In Brazil, Serasa Experian has been successful in its challenges to date against the Brazilian tax authorities for the deduction of the initial goodwill amortisation arising from its acquisition by Experian, however there are some remaining matters that are yet to be resolved. The Colombian Tax Authority has raised a similar challenge on the deductibility of goodwill in respect of the 2014 and 2016 tax years. Historical UK tax disputes continue to be discussed with Her Majesty’s Revenue and Customs.

---

New legislation or changes in regulatory enforcement

We operate in an increasingly complex environment and many of our activities and services are subject to legal and regulatory influences. New laws, new interpretations of existing laws, changes to existing regulations and heightened regulatory scrutiny could affect how we operate. For example, regulatory interpretation of complex, principles-based privacy regulations could affect how we collect and process information for marketing, risk management and fraud detection.

This risk is considered in the viability assessment.

Potential impact

We may suffer increased costs or reduced revenue resulting from modified business practices, adopting new procedures, self-regulation or litigation or regulatory actions resulting in liability, fines and/or changes in our business practices. The impact of this risk, if it materialises, will typically be felt in the short term.

Examples of control mitigation

• We use internal and external resources to monitor planned and realised changes in legislation.
• We educate lawmakers, regulators, consumer and privacy advocates, industry trade groups, our clients and other stakeholders in the public policy debate.
• Our global Compliance team has region-specific regulatory expertise and works with our businesses to identify and adopt balanced compliance strategies.
• We execute our Compliance Management Programme, which directs the structure, documentation, tools and training requirements to support compliance on an ongoing basis.

Responsibility

Our Legal, Government Affairs and Compliance functions work with our business units to understand the impact of relevant laws and regulations, including any regulatory interpretations and associated implications. The business units put into place appropriate procedures and controls designed to ensure compliance.

Changes this year

New laws, new interpretations of existing laws, changes to existing regulations and heightened regulatory scrutiny continue. The global focus is still on privacy and a general trend towards more consumer control over data, but also includes heightened regulatory scrutiny and interpretations of existing regulations related to our credit reference and consumer services businesses in our larger markets. The laws and regulations to which we are subject are complex, principles-based, and may be subject to interpretations, which can lead to actual and potential differences in how regulations are now interpreted and enforced in many of the jurisdictions in which we operate. In some cases these differences in interpretations may have to be decided in the courts.

We highlight some significant updates below:

In the USA, the Consumer Financial Protection Bureau (CFPB) conducts regular and ongoing supervisory examinations of various aspects of our credit reference business. The CFPB has increased its supervisory and enforcement activities generally in the financial services industry, with a focus on accuracy, fairness, financial inclusion and anti-discrimination. The California Privacy Rights Act (CPRA) will become effective on 1 January 2023, with the California Consumer Privacy Act (CCPA) remaining in effect through that date. Many other US states are progressing privacy regulation, and more are expected to enact privacy laws before a national privacy standard may be established. In the meantime, divergence in state laws may have an impact on products and services, as well as on compliance regimes.

In Brazil, some regulators have been examining compliance with the recently enacted Privacy legislation modelled after the EU General Data Protection Regulation (GDPR), which may have an impact on how businesses operate in certain markets, including marketing services. In addition, Contran (National Council of Traffic) published new legislation in December 2020 establishing restrictions to the auto finance registry business, in order to avoid conflicts of interest.

In the UK, the Government’s National Data Strategy and regulatory changes around use of open banking data indicate a future change in direction in regulation of data to encourage economic growth and innovation in balance with privacy protection. The UK Financial Conduct Authority's (FCA) Market Study into the Credit Information sector is due to report by mid-2022. Its focus includes the competitive dynamics and consumer outcomes resulting from credit information. The FCA is consulting on rules to implement a new Consumer Duty which will require firms to act to deliver good outcomes for consumers, enforced by the FCA. The proposals at present do not include a private right of action in relation to the duty, and there has been preliminary recognition that credit reference agencies do not directly control outcomes for consumers with lenders in connection with this duty. The decision in the UK Supreme Court case of Lloyd v Google has reduced the risk of representative actions for breaches of data protection law. Finally, the UK Information Commissioner’s Office (ICO) and Competition and Markets Authority (CMA) both continue work in the AdTech space where they are looking to balance privacy rights against the risks of giving large online platforms competitive advantage and dominance. A new Commissioner was appointed at the ICO in January 2022 to lead enforcement and interpretation of data protection regulation.

In Europe, the European Commission published its proposal for the Artificial Intelligence (AI) Regulation. We are actively involved through our European industry trade body (ACCIS) and through additional efforts to shape the development of the legislative process to minimise risk to our business. In Spain, a ministerial order was issued in July 2020 which has the potential to lead to a public credit registry. The banks are supporting this legislation because it allows them to avoid sharing positive data with private bureaux, which in turn will limit access to positive data for non-bank lenders, thus maintaining their market concentration. We launched a judicial review against the ministerial order in September 2020 and await an update from the court, now expected later in 2022.

In South Africa, bureaux either require prior authorisation or an industry Code of Conduct to process data under the Protection of Personal Information Act (POPIA). We are currently engaged as an industry with the regulator to issue a Code. We have confirmed that the industry can continue to process data while awaiting issuance of the Code.

---

Failure to comply with laws and regulations

We hold and manage sensitive consumer information and we must comply with many complex privacy and consumer protection laws, regulations and contractual obligations.

Potential impact

Non-compliance may result in material litigation, including class actions, as well as regulatory actions. These could result in civil or criminal liability or penalties, damage to our reputation or significant changes to parts of our business. The impact of this risk, if it materialises, will typically be felt in the near term.

Examples of control mitigation

• We maintain a compliance management framework that includes defined policies, procedures and controls for Experian employees, business processes, and third parties such as our data resellers.
• We assess the appropriateness of using data in new and changing products and services.
• We vigorously defend all pending and threatened claims, employing internal and external counsel to effectively manage and conclude such proceedings.
• We analyse the causes of claims, to identify any potential changes we need to make to our business processes and policies.
• We maintain insurance coverage, where feasible and appropriate.

Responsibility

Our Legal and Compliance functions work with our business units to understand the impact of relevant laws and regulations, including any regulatory interpretations and associated implications. Our business units put into place appropriate procedures and controls designed to ensure compliance.

Changes this year

We have faced increased regulatory scrutiny, and regulatory and government enquiries and investigations in several jurisdictions. The laws and regulations to which we are subject are complex, principles-based, and may be subject to interpretations, which can lead to actual and potential differences in how regulations are now interpreted and enforced in many of the jurisdictions in which we operate. In some cases these differences in interpretations may have to be decided in the courts.

In the USA, we are subject to regular and ongoing supervisory examinations of various aspects of our credit reference business by the CFPB. During the course of the year, the CFPB conducted supervisory examinations covering our dispute resolution processes, Experian Boost and client credentialing. The results of the dispute resolution examination have been referred to the CFPB’s Enforcement Division and we are currently responding to data requests. In the current environment, we expect that one or more additional matters could be referred to enforcement in the new financial year. Over the past year, the number of US class action lawsuits has remained steady, however individual consumer cases are trending up. While we are managing the effects associated with these investigations and lawsuits, the costs of responding to the increased regulatory scrutiny and defending litigation are rising and consequently the risk of potential liability and impact on some parts of our business remains significant.

In Brazil, the general data protection law (LGPD) has been effective since September 2020. In addition, LGPD created the Brazilian National Data Protection Authority (the ANPD), which exercises certain roles of education, enforcement, investigation, and regulation, including the determination of rules/ procedures and interpretation of data protections laws. While we have implemented our rigorous compliance programme based on the principles outlined in the law, we have already seen some different regulatory interpretations of these principles and how they relate to our Marketing Services business. The Federal District public prosecutor filed a class action against Serasa Experian, alleging violations to LGPD in failing to obtain consumer consent prior to disclosing and using personal data for marketing purposes in two specific solutions. We are no longer providing those two marketing solutions.

In the UK, our appeal against the ICO's Enforcement Notice (EN) was heard by the First Tier Tribunal over several days in January and February 2022. We await the decision which is expected in the next several months, and there are further rights of appeal. We have continued to see open contact and closer supervision by the UK FCA around compliance with their rules and principles, particularly relating to the importance of the role of credit reference agencies to the financial services industry and the obligations of credit reference agencies to those whose data is held. Most recently their focus has been on financial liquidity, operational resilience, cyber and operational risk.

In South Africa, Experian implemented its readiness programme for compliance with the Protection of Personal Information Act (POPIA). A settlement has been reached with the National Credit Regulator regarding the fraudulent data incident that occurred in 2020 and the settlement agreement requirements are being fulfilled.

---

Non-resilient IT/business environment

Delivery of our products and services depends on a number of key IT systems and processes that expose our clients, consumers and businesses to serious disruption in the event of systems or operational failures.

Potential impact

A significant failure or interruption could have a materially adverse effect on our business, financial performance, financial condition and reputation. The impact of this risk, if it materialises, will typically be felt in the near term.

Examples of control mitigation

• We maintain a significant level of resilience in our operations, designed to avoid material and sustained disruption to our businesses, clients and consumers.
• We design applications to be resilient and with a balance between longevity, sustainability and speed.
• We maintain a global integrated business continuity framework that includes industry-appropriate policies, procedures and controls for all our systems and related processes, as well as ongoing review, monitoring and escalation activities.
• We duplicate information in our databases and maintain back-up data centres.

Responsibility

Our corporate and business technology teams, assisted by the Business Continuity function, are responsible for maintaining appropriate primary and back-up infrastructure to minimise disruption.

Changes this year

Throughout this year we experienced isolated events that tested our plans and processes. We continue to closely monitor our infrastructure and processes to manage our commitments to clients, consumers and regulators.

In addition, we provide training to our key responders and carry out periodic exercises to validate that our procedures are fit for purpose. We have designed our applications using a ‘build anywhere, deploy anywhere’ strategy, to support portability and maximum resilience. Our approach to asset lifecycle management helps ensure that we retire and replace our technology in a timely fashion.

We are closely monitoring the impact of global supply chain issues on the cost of technology hardware and our ability to procure it. So far, maintenance is not being impacted.

A global initiative continues progress to maximise business value and maintain leadership through accelerated technology transformation. We also continue targeted improvements to be well prepared for resiliency risk events.

---

Business conduct risk

---

Our business model is designed to create long-term value for people, businesses and society, through our data assets and innovative analytics and software solutions. Inappropriate execution of our business strategies or activities could adversely affect our clients, consumers or counterparties.

Potential impact

Consumers or clients could receive inappropriate products or not have access to appropriate products, resulting in material loss of business, substantial legal liability, regulatory enforcement actions or significant harm to our reputation. The impact of this risk, if it materialises, will typically be felt in the short term.

Examples of control mitigation

• We maintain appropriate governance and oversight through policies, procedures and controls designed to safeguard personal data, avoid detriment to consumers, provide consumer-centric product design and delivery, and effectively respond to enquiries and complaints.
• The above activities also support a robust conduct risk management framework.
• We enforce our Global Code of Conduct, Anti-Corruption Policy and Gifts and Hospitality Policy. If we believe employees or suppliers are not following our conduct standards, we will investigate thoroughly and take disciplinary action where appropriate.

Responsibility

Our Compliance function sets policies and standards, including the Global Code of Conduct. All employees are accountable for understanding and following our conduct standards.

Changes this year

Regulators have continued to put public trust and consumer and investor protection at the centre of their mission statements and have promoted prudent conduct risk management.

We regularly evaluate our policies and other protocols to ensure that we stay up to speed with external and internal expectations.

---

Dependence on highly skilled personnel

Our success depends on our ability to attract, motivate and retain key talent while also building future leadership.

Potential impact

Not having the right people could materially affect our ability to service our clients and grow our business. The impact of this risk, if it materialises, will typically be felt in the long term.

Examples of control mitigation

• In every region, we have ongoing programmes for recruitment, personal and career development, and talent identification and development.
• As part of our employee engagement strategy, we conduct periodic employee surveys. We track progress against our action plans.
• We offer competitive compensation and benefits and review them regularly.
• We actively monitor attrition rates, with a focus on individuals designated as high talent or in strategically important roles.

Responsibility

Our business units work with the Human Resources function to set and implement talent management strategies.

Changes this year

We continue to take steps to effectively manage our ability to attract, develop and retain employee talent and while our mitigation efforts have been effective, our talent continues to be highly attractive to other organisations.

We continue to transform our Talent Acquisition proposition to better attract talent to Experian. We have embedded mobile-enabled technology, introduced candidate experience surveys at different stages of the hiring and onboarding process, significantly enhanced our presence on social media, implemented key performance indicators for recruiters and continue to upskill our capability within the Talent Acquisition team.

We monitor employee engagement through a variety of channels and have been implementing the action plans from our periodic surveys. In addition to high response rates, our latest surveys continue to show strong engagement and enablement scores.

Voluntary attrition rates are stable but continue to be a focus.

Significant activity in Diversity, Equity and Inclusion (DEI) continues with the roll-out of a consistent global framework – notably, a requirement that our Group Operating Committee has a Diversity Action Plan that’s reviewed quarterly, evolving financial inclusion as one of our key business drivers and senior executives taking up Sponsor roles for key areas of our DEI strategy, including setting gender and ethnicity targets.

With COVID-19, we have kept the health and safety of our employees as the primary consideration of our pandemic response. Most of our employees are still working remotely. We expect future work arrangements to be guided by a consistent global framework and principles, with local flexibility around the approach to account for legal and cultural nuances.

---

Increasing competition

---

We operate in dynamic markets such as business and consumer credit information, decisioning software, fraud, marketing, and consumer services. Our competitive landscape is still evolving, with traditional players reinventing themselves, emerging players investing heavily and new entrants making commitments in new technologies or approaches to our markets. There is a risk that we will not respond adequately to such disruptions or that our products and services will fail to meet changing client and consumer preferences.

Potential impact

Price reductions may reduce our margins and financial results. Increased competition may reduce our market share, harm our ability to obtain new clients or retain existing ones, affect our ability to recruit talent and influence our investment decisions. We might also be unable to support changes in the way our businesses and clients use and purchase information, affecting our operating results. The impact of this risk, if it materialises, will typically be felt in the long term.

Examples of control mitigation

• We continue to research and invest in new data sources, analytics, technology, capabilities and talent to deliver our strategic priorities.
• We continue to develop innovative new products that leverage our scale and expertise and allow us to deploy capabilities in new and existing markets and geographies.
• We use rigorous processes to identify and select our development investments, so we can efficiently and effectively introduce new products and solutions to the market.
• Where appropriate, and available, we make acquisitions, minority investments and enter into strategic alliances to acquire new capabilities and enter into new markets.

Responsibility

Our Corporate Development and Experian Ventures teams, as well as our business units, monitor the competitive landscape in order to develop and implement appropriate actions.

Changes this year

We are proactive in our efforts to evaluate competitors and markets, and pursue investments and enhancements to our data, analytics, technology and capabilities where appropriate, available and feasible.

Traditional competitors continue to pursue differentiated data assets, adjacent vertical expansion, and new geographic markets. In the Consumer Services space, other firms have become bigger competitors in recent years as we have expanded in areas such as digital marketplaces and identity protection. We feel confident in Experian’s relative position and competitive advantages, but the broader landscape continues to evolve.

There is a long-term competitive risk to consider related to newer entrants building information networks based on consumer data. While some of them may not be trying to build a credit bureau or fraud business as such, this is not many degrees away from our core business and is being closely monitored.

Certain governments and central banks in countries where we have credit bureaux are collecting loan data from banks, principally for systemic risk analysis, though some may share individual loan data with lenders, which has the potential to compete with some of our credit reference data services. The timing and whether any government agencies choose to go down this route is uncertain. In the USA, there have been references to comprehensive reform of the credit bureau ecosystem, including the potential formation of a government-owned credit bureau. However, these proposals appear unlikely to be enacted in their current, broad form. It is more likely that regulators will continue to push for improvements through the existing supervisory and examination programmes.

---

Undesirable investment outcomes

---

We critically evaluate, and may invest in, equity investments and other growth opportunities, including internal performance improvement programmes. To the extent invested, any of these may not produce the desired financial or operating results.

Potential impact

Failure to successfully implement our key business strategies could have a materially adverse effect on our ability to achieve our growth targets.

Poorly executed business acquisitions or partnerships could result in material loss of business, increased costs, reduced revenue, substantial legal liability, regulatory enforcement actions and significant harm to our reputation.

The impact of this risk, if it materialises, will typically be felt in the long term.

Examples of control mitigation

• We analyse competitive threats to our business model and markets.
• We carry out comprehensive business reviews.
• We perform comprehensive due diligence and post-investment reviews on acquisitions and investments.
• We employ a rigorous capital allocation framework.
• We design our incentive programmes to optimise shareholder value through delivery of balanced, sustainable returns and a sound risk profile over the long term.

Responsibility

Our Corporate Development and Experian Ventures teams, as well as our business units, monitor the investments we make to ensure outcomes are in line with expectations.

Changes this year

We have further refined our policies and standards that apply minimum requirements to our acquisition and integration processes, including enhancement of diligence around data governance and formally incorporating key lessons learned.

As the impact of COVID-19 lessens, we continue to analyse opportunities and threats to our business model and work to address such opportunities and threats through acquisitions, investments, strategic partnerships and new technologies where appropriate.

We continue to build and refine our acquisition pipeline based upon the key strategic themes we have developed. In addition, we work to identify and execute on relevant minority investment opportunities. We are closely engaged with our minority investments, offering guidance and advice and, where appropriate, providing commercial offerings that may be helpful to these companies.