Risk and Crisis Management

Effective risk management is essential to our ability to execute our strategy, deliver value to clients and shareholders, and operate a sustainable business. By systematically identifying, assessing and responding to risks, we seek to enhance decision-making, enable effective governance and compliance, and strengthen our resilience to disruptions.

S&P Global employs internal controls and processes to proactively identify emerging risks and opportunities, promote resilience and comply with applicable laws and regulations. We also work to foster a risk-aware culture by empowering our people to recognize and manage risk and make informed, data-driven decisions in our day-to-day operations.

Risk management is overseen by the Board of Directors. The Board regularly reviews key risks at the board and committee level and periodically assesses the appropriate oversight structure for such risks. For additional information on the Board’s oversight of risk management, including committeelevel responsibility for specific risk categories, see the 2025 Proxy Statement.

While the Board provides oversight, management is responsible for the day-to-day management of the company’s risk exposures in a manner consistent with the company’s strategic and agreed risk appetite. Management provides regular updates to the Board and Audit Committee concerning strategic, operational and emerging risks and the company’s efforts to help mitigate those risks.

As a critical component of the company’s risk management process, the company has adopted an integrated risk management framework to continuously identify, assess, measure, manage, monitor and report current and emerging risks. As part of this framework, the company has an Executive Risk Management Committee (ERMC), which is chaired by the company’s Chief Risk Officer. The ERMC oversees the company’s risk management framework, including the implementation of the framework components across the company. In addition, the Management Risk Committee (MRC) and divisional risk committees provide executive-level forums for regular discussion and oversight of risks specific to each division or function. The ERMC promotes a strong, company-wide culture of risk management, compliance and control.

Under the direction of the Chief Risk Officer, Enterprise Risk Management (ERM) is responsible for developing and implementing processes for identifying, managing and reporting on risk exposures on an ongoing basis, and for promoting a risk-aware culture throughout the organization.

In this role, ERM facilitates the development of an annual Enterprise Top Risk Assessment involving stakeholders from across the company, including all functions and divisions. Divisional risk profiles are vetted by each divisional risk committee and integrated with the enterprise-wide assessment. Each identified risk is assessed based on its likelihood and impact, and key drivers and relationships among risks are also considered. ERM also works to identify emerging risks and track key risk indicators in risk dashboards.

As part of this process, the ERM and Finance teams also collaborate to develop and assess a range of scenarios exploring the possible outcomes of certain risk events or combinations of risk events. These are then used to perform financial stress testing, including evaluation of the scenarios’ potential impact on the company’s financial performance, balance sheet and credit rating profile. The results of both the Enterprise Top Risk Assessment and scenario analysis are reviewed by the ERMC. The Top Risk Assessment is reviewed by the Audit Committee of the Board, and the scenario analysis is reviewed by the Finance Committee of the Board. The Enterprise Top Risk Assessment is also reviewed by the full Board.

ERM also works to continuously improve risk transparency, awareness and training through appropriate risk forums across the organization. In 2024, these efforts included updating the company’s Risk Taxonomy with additional detail on risks related to sustainability topics. We also updated our internal risk rating methodology to include impacts on people as a factor to consider when evaluating and assessing risks.

The company’s internal audit function performs annual independent assessments of our risk management framework, policies and procedures. The reviews include, but are not limited to, strategic, operational, financial, technology and compliance processes, as well as enterprise risk management practices. Results of the audits performed are communicated to senior management and the Audit Committee of the Board.

Global Security and Crisis Management (GS&CM) combines data with real-world expertise to protect our people, assets and reputation from a range of complex security threats. The team is composed of six centers of excellence: Security Intelligence & Protective Operations, Crisis Management, Medical & Safety Guidance, Security Operations, Security Technology and Administration & Finance. Working together, they are responsible for anticipating, assessing, tracking and responding to both actual and potential threats to our people and operations.

GS&CM’s forward-looking efforts are underpinned by the principle that intelligence-led solutions result in better strategic outcomes. We therefore seek to continuously enhance our capabilities with data and technology solutions that enable better foresight and more informed and timely decision-making. In 2024, this included continuing to implement new tools and processes to enhance how we anticipate risks and challenges linked to climate change (see below "Leveraging Intelligence to Enhance Climate Risk Resilience").

In the event of an acute risk that may affect the company – such as extreme weather or a security incident – our Crisis Management Plan specifies protocols and procedures for management and escalation to the appropriate decisionmakers. Real-time monitoring and response are initially coordinated by our 24/7 Global Security Support Center and a network of four Regional Senior Security Directors. The latter may then activate additional groups – including Site Incident Management Teams, the global Incident Support Team or our CEO-led Crisis Management Team – as necessary.

S&P Global’s Operational Resilience Management program aims to protect our vital assets and strengthen our ability to provide uninterrupted service to our customers.

Designed in alignment with industry requirements and best practices, our Operational Resilience Management Program follows a strategic lifecycle to implement appropriate business continuity and information technology (IT) disaster recovery strategies for all critical business functions and technologies operating from our offices around the globe. Key aspects of the program include:

• Definition of recovery objectives, such as recovery time or maximum tolerable downtime, identified through a comprehensive business impact analysis and risk assessment process.
• Identification and implementation of viable recovery strategies and procedures for continuity.
• Corroboration through a comprehensive testing methodology.

The management structure for business continuity and IT disaster recovery is led by our Operational Resilience Management team and composed of a steering committee, a working group and plan owners, with members of each group made up of senior leaders. We perform regular testing of our plans and procedures – at a minimum annually – to verify their effectiveness and drive continuous improvement.

In 2024, we continued to mature our operational resilience capabilities by enhancing our Business Impact Analysis (BIA) process to improve data integrity, simplify data collection and align with emerging regulatory requirements.