The Board is responsible for maintaining and reviewing the effectiveness of the Group's risk management activities from a strategic, financial, regulatory, and operational perspective. These activities are designed to identify and manage, rather than eliminate, the risk of failure to achieve business objectives or to successfully deliver Experian's business strategy. Experian’s risk management programme is regularly reviewed by the Audit Committee and in FY22 the Committee engaged an external firm to assess the current state and identify opportunities for further enhancement. Following this review, the Group defined a new strategic plan for the approach to risk management, which sets a clear vision to continue the maturing of a sustainable and embedded risk management framework within Experian.

The Audit Committee received second line of defence strategic updates at its September 2023 meeting from Group Risk Management, the Global Security Office and Global Compliance. As well as these strategic updates, the Committee was briefed on tactical measures already underway, on a threat-informed basis, to manage and mitigate near-term reductions in areas of risk critical to the defence of the Experian business. These measures focus on complex areas where a need to rapidly evolve the process, controls and operational assurance of implementation has been identified. The Group's risk management processes are designed to identify, assess, respond to, report on and monitor the risks that threaten the ability to achieve the business strategy and objectives, within the Group's risk appetite. There is an ongoing process for identifying, evaluating, and managing the principal and emerging risks Experian faces. This process was in place for the financial year and up to the date of approval of this Annual Report. Full details of our risk management and internal control systems and processes can be found in the Risk management and principal risks section of the Strategic report of the Annual Report. The Audit Committee considers emerging risks with management as part of the standing risk management update it receives.

The Audit Committee (on behalf of the Board) monitors the internal control and risk management systems, robustly assesses the emerging and principal risks identified by our risk assessment processes (including those that would threaten Experian's business model, future performance, solvency or liquidity and reputation), and monitors actions taken to mitigate them. For certain joint arrangements, the Committee relies on the systems of internal control operating within Experian partners’ infrastructure and the obligations of partners’ boards, relating to the effectiveness of their own systems.

The Code requires companies to review the effectiveness of their risk management and internal control systems, at least annually. The monitoring and review should cover all material controls, including financial, operational, and compliance controls. The Committee performs this review under delegated authority from the Board. Through a combination of ongoing and annual reviews, the Committee is able to review the effectiveness of the Group’s risk management and internal control system. The annual review of effectiveness considered that:

  • there was a process in place to determine the nature and extent of the principal risks the Company was willing to take in order to achieve its long-term strategic objectives
  • there was an ongoing process for identifying, evaluating, and managing the emerging and principal risks faced by the Group that was regularly reviewed by the Committee
  • processes were in place throughout the year ended 31 March 2024, and which would remain in place up to the date of approval of the Annual Report
  • the effectiveness of such processes was reviewed by the Board
  • the information the Board received was sufficient to enable it to review the effectiveness of the Group’s risk management and internal control systems.

The Audit Committee, on behalf of the Board, considers that the information it received enabled it to review the effectiveness of the Group’s system of internal control and risk management in accordance with the FRC’s Guidance on Risk Management, Internal Control and Related Financial and Business Reporting and that there were, and the system has, no significant failings or weaknesses. For more on our approach to risk management see the 2024 Annual Report.