Risk and Crisis Management

Effective risk management is essential to our ability to execute our strategy, deliver value to clients and shareholders, and operate a sustainable business. By systematically identifying, assessing and responding to risks, we seek to enhance decision-making, enable effective governance and compliance, and strengthen our resilience to disruptions.

S&P Global employs internal controls and processes to proactively identify emerging risks and opportunities, promote resilience and ensure compliance with applicable laws and regulations. We also work to foster a risk-aware culture by empowering our people to recognize and manage risk and make informed, data-driven decisions in our day-to-day operations.

Risk management is overseen by the Board of Directors. The Board regularly reviews key risks at the board and committee level and periodically assesses the appropriate oversight structure for such risks. For additional information on the Board’s oversight of risk management, including committee-level responsibility for specific risk categories, see the 2024 Proxy Statement.

While the Board provides oversight, management is responsible for the day-to-day management of the company’s risk exposures in a manner consistent with the company’s strategic and agreed risk appetite. Management provides regular updates to the Board and Audit Committee concerning strategic, operational and emerging risks and the company’s efforts to help mitigate those risks. As a critical component of the company’s risk management process, the company has adopted an integrated risk management framework to continuously identify, assess, measure, manage, monitor and report current and emerging nonfinancial risks. As part of this framework, the company has an Enterprise Risk Management (ERM) Committee, which is chaired by the company’s Chief Risk & Compliance Officer. The ERM Committee oversees the company’s risk management framework, including the implementation of the framework components across the company. In addition, divisional risk committees provide executive-level forums for regular discussion and oversight of the management of risks specific to each division. The ERM Committee promote a strong company-wide culture of risk management, compliance and control.

Under the direction of the Chief Risk & Compliance Officer, ERM is responsible for developing and implementing processes for identifying, managing and reporting on risk exposures on an ongoing basis, and for promoting a risk-aware culture throughout the organization.

In this role, ERM facilitates the development of an annual Enterprise Top Risk Assessment involving stakeholders from across the company, including all functions and divisions. Divisional risk profiles are vetted by each divisional risk committee and integrated with the enterprise-wide assessment. Each identified risk is assessed based on its likelihood and impact, and key drivers and relationships among risks are also considered. ERM also works to identify emerging risks and track key risk indicators in risk dashboards.

As part of this process, the ERM and Finance teams also collaborate to develop and assess a range of scenarios exploring the possible outcomes of certain risk events or combinations of risk events. These are then used to perform financial stress testing, including evaluation of the scenarios’ potential impact on the company’s financial performance, balance sheet and credit rating profile. The results of both the Enterprise Top Risk Assessment and scenario analysis are reviewed by the ERM Committee. The Top Risk Assessment if reviewed by the Audit Committee of the Board and the scenario analysis is reviewed by the Finance Committee of the Board. The Enterprise Top Risk Assessment is also reviewed by the full Board.

The companyʼs internal audit function performs annual independent assessments of our risk management framework, policies and procedures. The reviews include but are not limited to strategic, operational, financial, technology and compliance processes, as well as enterprise risk management practices. Results of the audits performed are communicated to senior management and the Audit Committee of the Board.

ERM also works to continuously improve risk education and culture to foster appropriate understanding and awareness of risks across the organization. In 2023, we enhanced these efforts through the rollout of an expanded risk and compliance training program for employees.

Global Security and Crisis Management (GS&CM) combines data with real-world expertise to protect our people, assets and reputation from a range of complex security threats. The team is composed of six centers of excellence: Security Intelligence & Protective Operations, Crisis Management, Medical & Safety Guidance, Security Operations, Security Technology and Administration & Finance. Working together, they are responsible for anticipating, assessing, tracking and responding to both actual and potential threats to our people and operations.

GS&CM’s forward-looking efforts are underpinned by the principle that intelligence-led solutions result in better strategic outcomes. We therefore seek to continuously enhance our capabilities with data and technology solutions that enable better foresight and more informed and timely decision-making. For example, in 2023, we implemented new tools and processes to enhance how we anticipate risks and challenges linked to climate change (see box).

In the event of an acute risk that may affect the company – such as extreme weather or a security incident – our Crisis Management Plan specifies protocols and procedures for management and escalation to the appropriate decision-makers. Real-time monitoring and response are initially coordinated by our 24/7 Global Security Support Center and a network of four Regional Senior Security Directors, who may then activate additional groups – including Site Incident Management Teams, the global Incident Support Team or our CEO-led Crisis Management Team – as necessary.

S&P Global’s business continuity management and information technology (IT) disaster recovery programs aim to not only protect our vital assets but strengthen our ability to provide uninterrupted service to our customers.

Designed in alignment with industry requirements and best practices, our Operational Resilience Management Program follows a strategic lifecycle to implement appropriate business continuity and IT disaster recovery strategies for all critical business functions and technologies operating from our offices around the globe. Key aspects of the program include:

• Definition of recovery objectives, such as recovery time or maximum tolerable downtime, identified through a comprehensive business impact analysis and risk assessment process.
• Identification and implementation of viable recovery strategies and procedures for continuity.
• Corroboration through a comprehensive testing methodology.

The management structure for business continuity and IT disaster recovery is led by our Operational Resilience Management team and composed of a steering committee, a working group and plan owners, with members of each group made up of senior leaders. We perform regular testing of our plans and procedures – at a minimum annually – to ensure their effectiveness and drive continuous improvement.

In 2023, we further enhanced our approach by updating our enterprise-wide Operational Resilience Policy and introducing formal IT Disaster Recovery Standards.