The Board is responsible for maintaining and reviewing the effectiveness of our risk management activities from a strategic, financial, regulatory, and operational perspective. These activities are designed to identify and manage, rather than eliminate, the risk of failure to achieve business objectives or to successfully deliver our business strategy. In line with the Code, on behalf of the Board, the Audit Committee monitors our risk management and internal control systems, robustly assesses the principal risks identified by our risk management processes (including those that would threaten our business model, future performance, solvency or liquidity), and monitors actions taken to mitigate them.
During the year, and as outlined earlier, the Committee received second line of defence strategic updates at its September 2022 meeting, comprising details of the plans for Group Risk, Cyber Security, and Privacy, Ethics and Compliance. The Committee also noted the new second line of defence leadership structure, including the appointment of a new Group Chief Risk Officer (CRO), Global Chief Privacy, Ethics and Regulatory Compliance Officer and a new Group Chief Information Security Officer (CISO). As well as the strategic updates, the Committee was briefed on tactical measures already underway, on a threat-informed basis, to manage and mitigate near-term reductions in areas of risk critical to the defence of the Experian business. These measures are focused on complex areas where a need to rapidly evolve the process, controls and operational assurance of implementation has been identified. Our risk management processes are designed to identify, assess, respond to, report on and monitor the risks that threaten our ability to achieve our business strategy and objectives, within our risk appetite. There is an ongoing process for identifying, evaluating, and managing the principal and emerging risks we face. This process was in place for the financial year and up to the date of approval of this Annual Report. Full details of our risk management and internal control systems and processes can be found in the Risk management and principal risks section of the Strategic report on page 78 of the 2023 Annual Report. The Audit Committee considers emerging risks with management as part of the standing risk management update it receives.
Effectiveness of the risk management and internal control systems
Experian’s risk management programme is regularly reviewed, and we engaged an external firm previously to assess the current state and identify opportunities for improvement. The scope was focused generally on risk management organisational structure and management, with a particular emphasis on operational risk management. The output of the external review work was used to adjust the Enterprise Risk Management (ERM) programme and set goals for the next one to three years. The implementation plan, reviewed by the Audit Committee, contained a number of recommendations on operational risk which we continue to implement (further detail is available in the Risk section).
In line with the Code, the Audit Committee (on behalf of the Board) monitors our risk management and internal control systems, robustly assesses the principal risks identified by our risk assessment processes (including those that would threaten our business model, future performance, solvency or liquidity), and monitors actions taken to mitigate them. For certain joint arrangements, the Committee relies on the systems of internal control operating within Experian partners’ infrastructure and the obligations of partners’ boards, relating to the effectiveness of their own systems.
The Code requires companies to review the effectiveness of their risk management and internal control systems, at least annually. The Audit Committee performs this review under delegated authority from the Board.
Through a combination of ongoing and annual reviews, the Committee is able to review the effectiveness of the Group’s risk management and internal control system.
The annual review of effectiveness considered that:
Following this year’s review, the Committee, on behalf of the Board, considers that the information it received enabled it to review the effectiveness of the Group’s system of internal control and risk management in accordance with the FRC’s ‘Guidance on Risk Management, Internal Control and Related Financial and Business Reporting’ and that there were, and the system has, no significant failings or weaknesses.
For more on our approach to risk management see pages 78 to 85 of the 2023 Annual Report.