A17 Risk management

Page 1 of 8

A17 – Risk management

(a) Risk management framework

Aviva has established a risk management framework to protect the Group from events that hinder the sustainable achievement of its performance objectives, including failing to exploit opportunities.

The risks faced by the Group can be categorised as follows:

– Financial risks cover market and credit risk, insurance risk, liquidity and capital management.

– Strategic risks include issues such as customer, brand, products and markets as well as any risks to our business model arising from changes in our market and risks arising from mergers and acquisitions.

– Operational risk arises from inadequate or failed internal processes, or from people and systems or from external events. Operational risks include business protection, information technology, people, legal and regulatory compliance.

The risk management framework provides the means to identify, assess, mitigate, manage, monitor and report all of the different types of risk faced by the Group to provide a single picture of the threats and uncertainties faced and opportunities that exist.

Responsibility for risk management resides at all levels within the Group with appropriate risk related objectives embedded within performance measurement plans. As part of our risk management framework we employ a three lines of defence model that encourages close working relationships between line management and the risk function whilst facilitating independent assurance by internal audit. Primary responsibility for risk identification and management lies with business management (the first line of defence). Support for and challenge on the completeness and accuracy of risk assessment, risk reporting and adequacy of mitigation plans are performed by specialist risk functions (the second line of defence). Independent and objective assurance on the robustness of the risk management framework and the appropriateness and effectiveness of internal control is provided by group audit (the third line of defence).

The Group sets limits to manage material risks to ensure the risks stay within risk appetite (the amount of risk the Group is willing to accept). The Group assesses the size and scale of a risk by considering how likely it is that the risk will occur and the potential impact the risk could have on our business and our stakeholders. Where risks are outside appetite actions are agreed to mitigate the exposure.

The Group’s risk management framework is designed to manage, rather than eliminate, the risk to business objectives and mitigates the risk of material financial misstatement or loss. New and emerging risks, or risks we currently deem as immaterial may also pose a risk to business objectives.

The Group recognises the critical importance of maintaining an efficient and effective risk management framework. To this end, the Group has an established governance framework, which has the following key elements:

– Defined terms of reference for the Board, its committees, and the associated executive management committees;

– A clear organisational structure with documented delegated authorities and responsibilities from the Board to Board committees, executive management committees and senior management;

– A risk management function operating across Group centre, regions and business units, with clear responsibilities and objectives;

– A Group policy framework that defines risk appetite and sets out risk management and control standards for the Group’s worldwide operations. The policies also set out the roles and responsibilities of businesses, regions, policy owners, and the risk oversight committees; and

– Risk oversight committees that review and monitor aggregate risk data, assess whether the risk profile is within appetite and take overall risk management decisions. The committees monitor adherence to the risk management policies and oversee mitigating actions being taken where risks are outside of appetite.

The Group has developed economic capital models that support the measurement, comparison and monitoring of our risks. The results of the modelling are incorporated into key decision making processes. These models show the relative impact to economic capital from the risks we face. In turn this supports the assessment of appropriate and effective mitigating strategies where risks are outside of appetite.

The financial impact from changes in market risk (such as interest rates, equity prices and property values) is examined through stress tests adopted in the Individual Capital Assessments (ICA) and scenario analysis which consider the impact on capital from variations in financial circumstances on either a remote scenario, or to changes from the central operating scenario. Both assessments consider the management actions that may be taken in mitigation of the change in circumstances.

Stress and scenario testing help give an indication of the size of losses that could be experienced in extreme but plausible events and compliments other risk measurement techniques. It helps identify concentration risk across businesses and portfolios and is a useful tool for management to use in their capital planning process. A number of stress tests and economic scenarios have been developed to capture the adverse impact on the businesses of extreme events. The stress tests are designed to cover major asset classes and insurance risks. The stress tests are produced at least monthly and are reviewed and discussed by senior management.

The sensitivity of Group earnings to changes in economic markets is regularly monitored through sensitivities to investment rate and investment return and asset values in IFRS and MCEV reporting.

The Financial Services Authority (FSA) requires Aviva to assess its economic capital requirements to ensure that it adequately reflects business and control risks. In turn this analysis supports our strategic planning and decision-making processes.

Page 1 of 8