TransUnion operates in an increasingly complex world, where risks and opportunities come from multiple directions. The risks we face are largely grouped in three categories: environmental, social and operational. Through our stakeholder engagement, we receive feedback on the issues that are most important to the company – governance and risk management consistently key among them. When we receive feedback from stakeholders, we work across the organization to address the feedback, using established risk management processes and routines.
Risk management program
TransUnion maintains policies and procedures to identify, assess and control risk. Our Chief Risk and Compliance Officer, Keith Warren, manages the everyday operations of the risk management and compliance programs. “TransUnion operates in a highly regulated industry and therefore, making sure we get risk management right is critical for our business,” said Keith. “Having sound risk management and governance practices is fundamental to building and maintaining the trust of our stakeholders.”
TransUnion’s Risk Management Framework (RMF) establishes the processes through which the company reduces risk, and is ultimately overseen by Heather Russell, our enterprise Chief Legal Officer, in conjunction with executive leadership.
As our RMF matures, we continue to expand the globalization of the program. When issues are identified, our Enterprise Issue Management program supports operational resilience through rapid response and effective issue resolution to minimize impacts and mitigate risks. Utilizing our established Risk Taxonomy, we are building processes, metrics and reporting that help us better identify and manage bespoke risks to our business.
As a leading global risk and information solutions provider, we recognize the services we provide are important to both business customers and consumers. Accordingly, we are committed to maintaining, updating and periodically testing our Business Continuity Program (BCP), which is designed to minimize any reasonably foreseeable service interruption. Our program prioritizes critical business processes, identifies significant threats to normal operations and plans mitigation strategies to ensure effective organizational response to significant business interruptions. Our executive leaders are actively engaged in the oversight of our BCP, reviewing performance, program improvements and emerging stakeholder needs.
Risk review and escalation
Our Enterprise Risk Management Committee (ERMC) sets TransUnion’s risk strategy and helps prioritize risk management activities across the company. The ERMC meets on a monthly basis to facilitate continuous improvement of TransUnion’s risk management capabilities.
The ERMC monitors TransUnion’s risk and governs the policies and processes related to risk, including:
- Reviewing the broader risk environment and providing direction to mitigate, to an acceptable level, identified risks that may adversely affect our ability to achieve our strategic objectives
- Annually reviewing our Global Risk Taxonomy which names, classifies and defines the risks we are exposed to across the enterprise
- Reviewing and approving our Enterprise Risk Management Policy and additional enterprise policies in risk-related areas, such as privacy and cybersecurity
The ERMC is comprised of our Chief Executive Officer and all of his direct reports, as well as the Chief Information Security Officer (CISO). Material issues raised at the ERMC are escalated to the Audit and Compliance Committee and/or the Technology, Privacy and Cybersecurity Committee (TPCC) of the Board of Directors.
Cybersecurity and privacy risk management
Ensuring our data is safe and properly stewarded is vital to keeping consumers protected and maintaining consumer trust. Our CISO and Chief Privacy Officer (CPO) maintain strategies and programs designed to protect consumers and data assets, align with consumer expectations and comply with all applicable laws. The CISO and the CPO have direct reporting lines to the TPCC of TransUnion’s Board of Directors and both report to the TPCC at every Committee meeting.
Climate change risk management
At TransUnion, we are working to reduce our greenhouse gas emissions footprint by procuring renewable energy, setting net-zero targets and offsetting emissions where we cannot eliminate them. In 2022, we’re going a step further and engaging an external consultant to help us assess the climate change risk to our operations.
“TransUnion’s commitment to excellence in risk management includes tailored approaches to address the most salient issues. Getting cybersecurity and data privacy risk management right is of paramount importance to our business,” said Hilary Chidi, Chief Sustainability Officer and Executive Vice President for Credit Risk Solutions at TransUnion. “Similarly, society is already experiencing the impacts of climate change; therefore, understanding the risks and implications for the business is essential.”