The Board is responsible for maintaining and reviewing the effectiveness of the Group’s risk management activities from a strategic, financial, regulatory and operational perspective. These activities are designed to identify and manage, rather than eliminate, the risk of failure to achieve business objectives or to successfully deliver Experian’s business strategy, within the Group’s appetite for risk. Experian’s risk management programme includes a Second Line of Defence Strategic Plan, which incorporates an annual self-assessment of maturity progress and a rotating external validation, where target maturity is benchmarked across relevant industry peers, including financial services. This approach to risk management sets a clear vision to continue the maturing of a sustainable and embedded risk management framework within Experian.

The Audit Committee received second line of defence strategic updates at its September 2025 meeting. There is an ongoing process for identifying, evaluating and managing the principal and emerging risks Experian faces. This process was in place for the financial year and up to the date of approval of this Annual Report. Full details of our risk management and internal control systems and processes can be found in the Risk management and principal risks section of the Strategic report of the 2026 Annual Report. The Committee considers emerging risks with management as part of the standing risk management update it receives.

The Audit Committee (on behalf of the Board) monitors the internal control and risk management systems, robustly assesses the emerging and principal risks identified by our risk assessment processes (including those that would threaten Experian's business model, future performance, solvency or liquidity and reputation), and monitors actions taken to mitigate them.

The Code requires companies to review the effectiveness of their risk management and internal control systems, at least annually. The monitoring and review should cover all material controls, including financial, operational, and compliance controls. The Committee performs this review under delegated authority from the Board. Through a combination of ongoing and annual reviews, the Committee is able to review the effectiveness of the Group’s risk management and internal control system. The annual review of effectiveness considered that:

  • there was a process in place to determine the nature and extent of the principal risks the Company was willing to take in order to achieve its long-term strategic objectives
  • there was an ongoing process for identifying, evaluating, and managing the emerging and principal risks faced by the Group that was regularly reviewed by the Committee
  • processes were in place throughout the year ended 31 March 2026, and which would remain in place up to the date of approval of the Annual Report
  • the effectiveness of such processes was reviewed by the Board
  • the information the Board received was sufficient to enable it to review the effectiveness of the Group’s risk management and internal control systems.

The Audit Committee, on behalf of the Board, considers that the information it received enabled it to review the effectiveness of the Group’s system of internal control and risk management in accordance with the FRC’s Guidance on Risk Management, Internal Control and Related Financial and Business Reporting and that there were, and the system has, no significant failings or weaknesses. For more on our approach to risk management see the 2026 Annual Report.