Risk review and escalation Our Enterprise Risk Management Committee (ERMC) sets TransUnion’s risk strategy and helps prioritize risk management activities across the company. The ERMC meets on a monthly basis to facilitate continuous improvement of TransUnion’s risk management capabilities. The ERMC monitors TransUnion’s risk and governs the policies and processes related to risk, including: → Reviews the broader risk environment and provides direction to mitigate, to an acceptable level, identified risks that may adversely affect our ability to achieve our strategic objectives → Annual review of our Global Risk Taxonomy which names, classifies and defines the risks we are exposed to across the enterprise → Reviews and approves our Enterprise Risk Management Policy and additional enterprise policies in risk-related areas, such as privacy and cybersecurity The ERMC is comprised of our Chief Executive Officer and all his direct reports, as well as the Chief Information Security Officer (CISO). Material issues raised at the ERMC are escalated to the Audit and Compliance Committee and/or the Technology, Privacy and Cybersecurity Committee of the Board (TPCC) of Directors. Board of Directors Board Level Executive Mergers and Audit & Technology, Privacy Nominating & Compensation Committee Committee Acquisitions Compliance & Cybersecurity Corporate Governance Committee Committee Committee Committee Executive Enterprise Risk Management Committee Committee (ERMC) Management Business Unit Risk Privacy Office Third-Party Risk Operational Risk Working Groups & Compliance Management Committee SECURITY, GOVERNANCE & COMPLIANCE TRANSUNION | 2021 SUSTAINABILITY REPORT 21