Risk management and Risk management COVID-19 response TransUnion maintains policies and procedures to identify, assess and control risks. Our Business Resilience program includes TransUnion’s Chief Risk and Compliance Officer manages the everyday operations pandemic, business continuity, and of the risk management and compliance programs. The Chief Risk and Compliance crisis management plans for each of our locations. All response teams undergo Officer reports to the enterprise Chief Legal Officer who, in conjunction with annual preparedness exercises. We routinely executive leadership, oversees the company’s Risk Management Framework (RMF). enhance our preparedness program, and early in 2020, we implemented new threat monitoring tools and processes – both Risk Management Framework invaluable during our pandemic response. TransUnion’s RMF establishes the processes through which it reduces risk. Directing The company’s risk policies and procedures serve to set boundaries KEY COVID-19 RESPONSE PLAN for taking risks. People first Organizing The RMF serves to organize risk and develop our risk management strategy and approach. Early in the pandemic, we set a guiding principle that the health and safety of our Managing TransUnion manages risk through the establishment of controls people and communities was our top to mitigate identified risks, coupled with an Issue Management response priority by expanding benefits process that drives process enhancements where controls are and flexibility deemed to be ineffective. Effective governance Monitoring Monitoring occurs through periodic control assurance testing and We established an executive steering ongoing assessment of control effectiveness. committee to make prompt decisions, Reporting To enable management oversight, the program reports key risk a response team to execute the plan themes and performance metrics. Monthly reporting is presented and a global network of office leads to coordinate locally to the Enterprise Risk Management Committee. Consistent communication When issues are identified, our Enterprise Issue Management program supports We frequently communicated and sought operational resilience through rapid response and effective issue resolution to input, inviting questions via a special mailbox and feedback via periodic pulse surveys on minimize impacts and mitigate risks. When we receive feedback from stakeholders, health, business and technology topics we work across the organization to address the feedback, using established risk Leveraging data and technology management processes and routines. Utilizing our established Risk Taxonomy, We developed in-house technology tools to we are building processes, metrics and reporting that help us better identify and track key readiness metrics for each of our manage bespoke risks to our business. As TransUnion’s RMF continues to mature, locations and manage the number of people we steadily expand the globalization of the program. in each office at any given time Leveraging expertise Business Resilience We tapped into reliable sources of As a leading global risk and information solutions provider, TransUnion recognizes information and best practices, including the US Center for Disease Control and the services we provide are important to both business customers and consumers. the World Health Organization Accordingly, we are committed to maintaining, updating and periodically testing our Business Continuity Program (BCP) which is designed to minimize any reasonably foreseeable service interruption event. Our program prioritizes critical business processes, identifies significant threats to normal operations, and plans mitigation strategies to ensure effective organizational response to significant business interruptions. The resiliency program consists of six primary response plans and hundreds of detailed plans supporting specific processes and locations, including topics such as data, technical, employee, and facility issues among others. Our executive leaders are actively engaged in the oversight of our BCP by reviewing performance, program improvements, and emerging stakeholder needs. SECURITY, GOVERNANCE & COMPLIANCE TRANSUNION | 2021 SUSTAINABILITY REPORT 20