Responsible business

We have introduced a new cultural approach to put client needs first and foremost in our product innovation. We also build the management of critical issues such as data privacy, security and accuracy into our products and processes. The Executive Risk Management Committee (ERMC) oversees how we manage risks globally, including environmental, social and governance risks. Our Impact Framework supports our corporate purpose to create a better tomorrow by helping to improve financial lives through our people, products and profit. Our corporate responsibility programme is overseen by the Company Secretary, who sits on the ERMC. A central team and a network of regional corporate responsibility leads, specialists and steering groups across the business manage our Social Innovation, community investment, health and safety, and environmental programmes and impact. The Board receives regular reports on the activity undertaken in these areas. Metrics from each region are monitored and reported each month, and aggregated global data is reported publicly on an annual basis. We are currently developing new metrics to more effectively measure the impact of our products and programmes on financial lives and our contributions to the UN Sustainable Development Goals (SDGs).

We hold vast amounts of data about people and businesses, and we take our responsibility as stewards of that data very seriously. The loss or inappropriate use of data and systems is one of our principal risks and could result in material loss of business, substantial legal liability, regulatory enforcement actions and significant harm to our reputation.

Our approach

We invest heavily in cyber security and have dedicated teams, state-of-the-art technology and robust due diligence procedures to deal with potential threats. Our security approach has three tiers: preventing threats from entering our system; detecting when a threat is in our system; and mitigating threats by minimising the potential to extract valuable information in case of a breach. We have controls in place to check for compliance and constantly scan for potential threats, with several layers of protection for our data assets (see diagram below).

Our Global Security Operations Centre has teams in various regions working to identify suspicious or malicious activity around the clock, with support from automated tools and artificial intelligence. Our incident response team is ready to take action to eliminate any threats that are identified. Our in-house team of forensic data experts manages a suite of incident response tools and we draw on external expertise where needed. We gather intelligence on evolving cyber threats to help our security teams stay ahead of them. We share our knowledge through our annual Data Breach Industry Forecast to help other businesses and consumers keep their data safe too. We have a global data breach plan and run simulated exercises for cyber security teams and senior leaders across various functions. We perform regular risk assessments and vulnerability checks on critical systems and undergo external cyber security audits every year. Our performance is rated as advanced by a leading independent cyber security ratings firm. We integrate security into every project from start to finish. Everyone involved in product development is responsible for embedding security considerations into the lifecycle of a product. Our processes, including manual penetration testing, are designed to discover, detect and remediate security threats from the first concept for a new product or solution all the way through the coding, build, quality assurance and production stages (see diagram below).

Security governance

We have clear lines of responsibility and accountability for data security. The Security and Continuity Steering Committee oversees our approach to keeping data secure and protecting consumer information. The committee reviews monthly metrics related to security tools, compliance and completion of training by employees. Our Audit Committee receives progress reports at every meeting.

The Chief Information Security Officer has overall responsibility for Experian’s global security strategy and our Global Security Office (GSO) sets relevant policies and standards – including our comprehensive Global Security Policy and controls, which are based on the internationally recognised ISO 27001 standard. Our robust information security programme is based on industry-recognised procedures such as the US National Institute of Standards and Technology (NIST) framework. Our security, audit and risk teams work together to continually improve our assurance capabilities and test the effectiveness of our controls. We apply our Three Lines of Defence model for risk management, which includes review by Global Internal Audit and oversight from the Board. We investigate any potential policy breaches and take disciplinary action where appropriate. To identify any potential risks, before an acquisition, the GSO conducts due diligence, followed by an in-depth post-acquisition security assessment which is then reviewed by Global Internal Audit. When it is necessary to provide third parties with access to our data and systems, the GSO ensures that such access is provided in line with our information security requirements. We also extend stringent standards on information security to our suppliers and partners through the terms of our contracts.

Protecting consumer privacy is extremely important to us. We have programmes in place to evaluate every product and service to ensure we strike the right balance between consumers’ privacy expectations and the economic benefit to both consumers and clients. Lenders need access to secure and accurate information about people’s financial profiles from Experian or other credit bureaux. Such information is integral to an efficient and competitive credit ecosystem that delivers robust and innovative products for consumers that enable them to get the most out of their data, contributes to economic growth and supports a stable consumer banking system. We only ever share data with authorised and trusted organisations. When we do so, we follow strict guidelines and comply with all relevant laws. We have a comprehensive data protection programme in place, which details the steps we take to mitigate data protection risks, and what is expected from our employees. Our Global Information Values define how data must be secured, managed and used. We update our data processes in line with evolving regulations such as the EU General Data Protection Regulation (GDPR) in Europe, the California Consumer Privacy Act in the USA and the Brazil General Data Protection Law. We respond to government consultations and engage with regulators as privacy regulations and guidance evolve. We strive to be transparent about the information we collect from consumers and third parties, and how that data is used and shared. Consumers can find out more about how we handle their data on the global privacy policy pages of our website.

The accuracy of consumer credit reports depends on the accuracy of the data used to compile those reports. We recognise how important this is for consumers. Ensuring the data we collect and use is correct – and that information we provide to clients is used fairly – is fundamental to our reputation and business success. We have taken significant steps over the last few years to improve the accuracy of consumer credit reports. We only use data from reputable sources and our quality control procedures help us to identify inaccurate or out-of-date information before it is added to our databases. We assess the accuracy of the consumer credit information that we get from data providers and work with them to improve the quality of the data they contribute to Experian. We also provide tools to help data providers check data before they submit it to us to help them meet our data quality standards. If data providers are unwilling to implement improvements to meet our standards, we will no longer source data from them.

Our platforms enable us to monitor and measure data accuracy on a continuous basis. In the USA, where data accuracy is a particularly significant issue for stakeholders, we have taken steps to strengthen our procedures, including for record matching and ensuring customers’ health insurance payments are properly reflected in medical debt records. We have processes in place for consumers to dispute information in their credit report that they believe is inaccurate. In the USA, our dispute centre makes it easier for people to file a dispute about credit information and get it corrected quickly. It can be accessed online or via a mobile app. We monitor how data providers deal with disputes and how they remediate them to improve accuracy of their data. Many of our products also empower consumers and businesses to protect their data and check for any inaccuracies in their financial profiles.

We listen to our people to understand how we can make Experian an even better place to work. This year, 88% of employees shared their views in our Annual People Survey and our overall engagement score increased slightly to 76%. The percentage of employees who believe action has been taken based on the results of the last survey was 3% above the industry norm. Every year, we run Creating A Better Tomorrow Awards to celebrate innovation and inspire everyone to deliver our purpose. We also improved our onboarding process to help people feel inspired from day one at Experian. We invested US$9.6m in training this year and 75% of employees said we provide good opportunities for learning and development. Programmes include High Performance Masterclasses for senior leaders and managers, our newly launched Accelerate Ambition leadership programme, and our Ambition programme for middle and junior level leaders. We also launched a new online platform with more bite-sized and on-demand training options and online forums for people to share knowledge.

We aim to attract and develop the very best diverse talent and create an inclusive culture where everyone feels valued. Our inclusion councils drive the agenda in each region along with a programme of more than 60 local events that tie in with global celebrations such as International Women’s Day. We have 28 employee resource groups that celebrate and support diversity across the company. Globally, 44% of our employees and 30% of our senior leaders are women. We run training and talent development programmes to support women in the business. We’re using artificial intelligence to scan job specifications for gender-biased language and we’ve increased our presence at female-focused events to attract more women to join the business.

We run local annual campaigns at each of our sites to keep health and safety top of mind and we prioritise wellbeing so employees feel supported in their personal and work lives. Wellness campaigns across Latin America this year highlighted topics such as healthy food, mindfulness and relaxation. Our Mental Health First Aiders and employee resource groups provide local wellbeing support. This year, we ran a campaign to offer instant mini health checks a health kiosks in the UK. We also launched tools in Asia Pacific and in the UK and Ireland that enable employees to access reward, health and emotional wellbeing resources online whenever and wherever they need support.

Supporting our people through the covid-19 crisis

As the COVID-19 pandemic took hold, we took steps to protect our people. This has included closing offices and making adjustments to enable homeworking where possible, while continuing to prioritise the security of our data and systems. Senior leaders in each region were closely involved in decisions about crisis management and support for employees during the pandemic. We kept our people informed and our CEO and other leaders provided updates by email and conference calls, sharing personal insights into the challenges of working at home during lock down. We understand that homeworking and isolation for a protracted period can affect wellbeing. We’re offering multiple resources and tips to help our people make this transition, including guidance on being productive as well as setting boundaries between work and personal life. Across our regions, we’ve intensified employee support, including providing emergency paid leave, virtual doctor services and flexible working hours. We’ve increased our focus on managing stress, mindfulness and meditation in our wellbeing programmes, as well as mental health support. We’re encouraging colleagues to stay connected to combat feelings of isolation and employees can access free counselling for professional help to manage anxiety and worry. We’re also checking in through regular employee pulse surveys. Throughout the crisis, we’ve kept track of evolving guidance from national governments and the World Health Organisation, and ensured we follow this as it applies to employees in each of our regions.

We are committed to respecting human rights and we do not tolerate any infringement of these rights in our business or our supply chain. Our Global Code of Conduct and other related policies align with the United Nations Universal Declaration of Human Rights. We include human rights in our annual training on the Global Code of Conduct for employees to raise awareness of potential risks. Employees also receive a briefing highlighting the risks of modern slavery and how to report concerns. We are committed to treating all our people fairly and with respect. In the UK, Experian is an accredited Living Wage employer. This means we go beyond the national minimum wage set by the government and pay employees what the Living Wage Foundation has calculated as the rate people really need to live on.

Our suppliers are contractually obliged to protect workers’ rights and freedoms – and to require their subcontractors to do the same. We monitor modern slavery risks in our supply chain and our procurement teams get in-depth training to help them spot any potential risks and understand what to do if they have concerns. We conduct risk assessments of our suppliers and undertake further due diligence if needed, including engaging with suppliers to make sure they address any issues identified. Our Slavery and Human Trafficking Statement provides further information about our commitment, policies and actions to tackle modern slavery risks in our business and our supply chain. Experian is a founding member of the Slave-Free Alliance, which brings together businesses working towards a slave-free supply chain. We worked with the Slave-Free Alliance to undertake a comprehensive assessment of our approach to preventing modern slavery in our supply chain and develop a three-year improvement plan. We are also working with our charity partner, Hope for Justice, to support survivors of modern slavery, who often find they have been the victims of fraud and identity theft.

All suppliers must comply with our Supply Chain Principles, which are clearly communicated on our website. Our contracts require suppliers to confirm that they accept our minimum requirements for ethical, labour and environmental standards or have their own equivalent standards in place. Suppliers and other third parties must undergo due diligence before we work with them and our Three Lines of Defence controls support compliance. We also use data from news sources around the world to help us monitor risks in our supply chain. Monthly reports on key suppliers are shared with our procurement teams and supplier relationship managers to alert them on any issues. We assess and monitor all suppliers for corporate responsibility risks such as bribery and corruption and modern slavery. Managing data security and privacy risks is central to our third-party risk management framework. Risk management and compliance are included alongside commercial factors in our supplier selection process. All the third parties we work with – including suppliers and indirect clients – must undergo a risk assessment process that is overseen by our Third Party Risk Management team. We assess them for security risks, as well as business continuity, compliance and reputational risks. We tailor the level of oversight to the risk profile of each supplier, which is assessed through an initial risk stratification questionnaire based on factors such as the type of service they provide and the type of data they have access to. If we identify any gaps in controls, we log these in our global centralised governance, risk and compliance system, and track issues through to resolution. We will not work with – and routinely reject – third parties that do not uphold our standards on critical issues, such as security.

Working with integrity is one of our core values and is fundamental to maintaining our reputation for high standards of conduct. Our Global Code of Conduct sets out clear ethical standards to help everyone at Experian make the right decisions, in line with our One Experian way of working. A breach of our ethical standards could cause reputational, legal and operational risks to our business, and undermine our relationships with clients, shareholders and consumers.

The Global Code of Conduct is supported by detailed policies covering specific topics such as anti-corruption, gifts and hospitality, fraud management, complaint management, fair treatment of vulnerable consumers, product development and marketing, whistleblowing and tax. Our compliance culture is reinforced by our Three Lines of Defence risk management model. We expect managers to be positive role models for ethical behaviour and require all employees to complete annual compliance training. We make sure that they do so through our performance review process. We encourage people to report any suspected policy breach or unethical activity through our 24-hour Confidential Helpline, anonymously if they choose, without fear of reprisals.

Anti-bribery and corruption

Our Global Anti-corruption Framework prohibits facilitation payments, kickbacks or any form of bribery or corruption. The accompanying detailed Global Gifts and Hospitality Policy sets out strict ethical standards relating to gifts, entertainment, hospitality, sponsorship, travel expenses and donations. We also have controls in place to ensure that any sponsorships, charitable contributions, lobbying or political donations comply with all relevant laws and are conducted ethically. We apply a zero-tolerance approach to bribery and corruption throughout our supply chain. To work with us, suppliers must accept our ethical standards or confirm they have equivalent standards in place. We conduct risk assessments and any suppliers identified as high risk for bribery or corruption are referred to the Compliance team for further due diligence, including an assessment of corruption, regulatory and reputational risks. Our Finance and Global Sourcing teams have training and controls to detect and stop improper payments, with support from our Global Internal Audit team. If we identify any concerns through audits, self-assessments or our Confidential Helpline, we promptly investigate them and take appropriate action if necessary. We also follow robust due diligence procedures to identify any risk of improper payments during mergers and acquisitions or when we enter into joint ventures.

As an information services business, we have a relatively small environmental footprint compared with many other industries. Our biggest impact relates to greenhouse gas emissions from energy used to power, heat and cool our buildings and data centres, and from business travel. In the last year, we reduced our absolute carbon footprint by 8% – from 47.7 to 43.7 thousand tonnes of CO2e – and cut the carbon intensity of our business by 14% per US$1,000 of revenue compared with the previous year. We did this by improving energy efficiency in our buildings and consolidating offices. This year we also sourced 29% of our worldwide energy from renewable sources.

Our Carbon Neutral commitment 2020

We recognise the urgent need for businesses to accelerate their response to the climate change emergency and we must do our part. That is why we are committing to:

Become carbon neutral in our own operations by 2030 – This year we will undertake a project to assess whether we can achieve carbon neutrality sooner than this and will put in place a robust timeline (including science-based targets) based on the results.

Gradually carbon offset our scope 1 and 2 emissions over the next 5 years.

Learn more about our Carbon Neutral Plan.

Managing our impact

We’re improving energy efficiency, sourcing renewable energy and using our robust environmental management systems to help us manage these impacts. We also engage employees around the world to take steps to help us reduce our environmental impact, from turning off lights to switching to greener transport options. This year, employees in the USA launched the “Creating a greener tomorrow” club to encourage colleagues to make greener choices. In the UK, we partnered with Nottingham City Council to respond to employee demand for more cycling facilities at work and arranged for employees to access electric vehicle charging points at a nearby council-owned site. In Brazil, 85% of our employees took part in a campaign to recycle office waste and reduce use of single-use plastics. Everyone who took part received a reusable bamboo cup. The environmental impact of single-use plastics has become a hot topic for stakeholders and we’re committed to eliminating as much single-use plastic in Experian controlled facilities as possible over the next two years.

Reporting

We follow the recommendations of the Task Force on Climate-Related Financial Disclosure and have aligned our reporting with them, you can find our complete statement on page 47 of our Experian Annual Report 2020.

Emissions-related data is recorded on a monthly basis across our portfolio and externally assured on annual basis. Our key performance indicators are reported on page 16 of our Sustainable Business Report – Our Approach and Performance, additional annual data is reported on the CR Performance data document, and detailed information on our calculations can be found in the 2020 Reporting Principles and Methodologies document.

PwC’s assurance report 2020 is also available on our website.