Governance structure

The Board’s role is to provide entrepreneurial leadership of the Company within a framework of prudent and effective controls which enable risk to be assessed and managed. The Board believes that a strong system of governance throughout the Group is essential in ensuring that the business runs smoothly, to aid effective decision making and support the achievement of the Group’s objectives.

The Board is responsible to shareholders for promoting the long term success of the Company for the benefit of shareholders  and, in particular, for setting the Group’s strategic aims, setting the Group’s risk appetite, ensuring the Group is adequately resourced, and that effective controls are in place. The Board also sets the values and supports the culture of the Group.

This includes ensuring that an appropriate system of governance is in place throughout the Group. To discharge this responsibility, the Board has established frameworks for risk management and internal control using a 'three lines of defence' model and reserves to itself the setting of the Group's risk appetite.

In-depth monitoring of the establishment and operation of prudent and effective controls in order to assess and manage risks associated with the Group's operations is delegated to the Audit, Risk and Governance Committees which report regularly to the Board. However, the Board retains ultimate responsibility for the Groups's systems of internal control and risk management and their effectiveness and has carried out a review of the systems during the year.

These frameworks play a key role in the management of risks that may impact the fulfilment of the Board's objectives. They are designed to identify and manage, rather than eliminate, the risk of failure to achieve business objectives and can only provide reasonable and not absolute assurance against material misstatement or losses. These frameworks are regularly reviewed and comply with the Financial Reporting Council’s Internal Control: Revised Guidance for Directors.

The Company's governance structure comprises the following:

Risk management framework

The Risk Management Framework (RMF) is designed to identify, measure, manage, monitor and report the significant risks to the achievement of the Group’s business objectives and is embedded throughout the Group. The RMF has been in place for the year under review and up to the date of approval of the Annual report and accounts. It is codified through risk policies and business standards which set out the risk strategy, appetite, framework and minimum requirements for the Group’s worldwide operations.

1.         Our risk appetite framework

Our risk appetite framework comprises:

  • Overarching risk appetites: Quantitative expressions of the level of risk we can support (e.g. capital we are prepared to put at risk).
  • Risk preferences: Qualitative statements on the risks we believe we are capable of managing to generate a return, risks we can support but need to be controlled, and risks we seek to avoid or minimise.
  • Operating risk limits and tolerances: Quantify specific boundaries (e.g. limits on specific risks).

The Aviva Board has approved four risk appetite statements:

  • Economic capital: Based on economic capital at risk in an extreme loss event over a one year time horizon.
  • European Insurance Groups Directive (IGD) capital: Based on maintaining an appropriate level of required regulatory solvency capital in a severe loss event.
  • Liquidity: Based on stressing one year forecast central liquid assets and cash inflows and outflows (covering Group centre costs, debt costs and dividends).
  • Franchise value: Long-term sustainability depends upon the protection of franchise value and good customer relationships. As such, Aviva will not accept risks that materially impair the reputation of the Group and requires that customers are always treated with integrity.

Risk appetites are clearly defined, refreshed on a regular basis and form part of the planning process. Risk appetites exist in aggregate and by risk type.

2.         Our risk management processes

The core business processes we use to identify, measure, manage, monitor and report (IMMMR) risks, delivered by our organisation and people, are set out below:

Identify and measure

Risk identification is carried out on a regular basis, including as part of the business planning process and any major business initiatives, and draws on a combination of internal and external data, covering both normal conditions and stressed environments. Risks are recorded on a business-wide key risk register.

We measure risks on the basis of economic capital (as well as other bases if appropriate) to determine their significance, relative to the potential return and to appropriately direct resources to their management.

Manage and monitor

Monitoring ensures that the risk management and mitigation approaches (accept, avoid, transfer, control) in place are effective. Monitoring may also identify risk-taking opportunities.

We regularly monitor our risk exposures against risk appetites, as well as key risk indicators against operating and financial risk limits and tolerances. Early warning indicators are monitored as triggers for management action, such as putting into effect pre-prepared contingency plans.

We monitor the effectiveness of controls in place to manage operational risks, including compliance with the Group’s internal business standards.


Risk reporting is dynamic, focused on:

  • Material risks and trends
  • Performance and the impact on the risk profile, historical and prospective
  • Decisions, taking account of risk reward trade-offs
  • Projections/forward-looking views
  • Mitigating actions
  • Risk vs. appetite

Supported by our organisation and people

Good risk management is supported by our staff having clear roles and responsibilities, the right skills and capabilities, and the right incentives and rewards. We strive to embed a risk-aware culture and values in our business through employee training and communications.

3.         Our risk governance

Risk is governed through group-wide risk policies and business standards, risk oversight committees and clear roles, responsibilities and delegated authorities. The Aviva plc Board is responsible for setting the Group’s risk appetite and establishing and operating controls to assess and manage the risks. The Board delegates ‘day-to-day’ risk management to the Group CEO, who delegates operational aspects to executives within the Group through delegated authority letters.

Line management in the business is accountable for risk management, which together with the risk function and internal audit form our ‘three lines of defence’ of risk management.

Internal controls

Internal controls facilitate effective and efficient business operations, the development of robust and reliable internal reporting and compliance with laws and regulations.

A Group reporting manual including International Financial Reporting Standards (IFRS) requirements and a Financial Reporting Control Framework (FRCF) are in place across the Group. FRCF relates to the preparation of reliable financial reporting and preparation of local and consolidated financial statements in accordance with applicable accounting standards and with the requirements of the Sarbanes-Oxley Act of 2002. The FRCF process follows a risk based approach, with management identification, assessment (documentation and testing), remediation (as required), reporting and certification over key financial reporting-related controls. Management regularly undertakes quality assurance procedures over the application of the FRCF process and FRCF controls.

The Board delegates to the Group CEO the day-to-day management of the Company and approval of specific issues up to set financial limits, including limits on revenue and capital expenditure, reinsurance spend and the settlement of claims. In turn the Group CEO delegates some of his authority to his direct reports. There is a similar delegated authority framework in place throughout the Group.

Management as the first line of defence

Management are responsible for the application of the RMF, for implementing and monitoring the operation of the system of internal control and for providing assurance to the Audit Committee, the Risk Committee, the Governance Committee and the Board.

The Group Executive members and each business unit Chief Executive Officer are responsible for the implementation of Group strategies, plans and policies, the monitoring of operational and financial performance, the assessment and control of financial, business and operational risks and the maintenance and ongoing development of a robust control framework and environment in their areas of responsibility. Chaired by the Chief Risk Officer (CRO), the Asset Liability Committee (ALCO) assists the CFO with the discharge of his responsibilities in relation to management of the Group’s Balance Sheet within risk appetite and provides financial and insurance risk management oversight.

The Operational Risk Committee is also chaired by the CRO. It supports the first line owners of key operations and franchise risks in the discharge of their responsibilities in relation to operational risk management.

The Disclosure Committee is chaired by the CFO and reports to the Audit Committee. It oversees the design and effectiveness of the Group’s disclosure controls, for both financial and non-financial information, evaluates the Group’s disclosure controls and reviews and endorses the Group’s key periodic external reports, including the consolidated financial statements. The results of the FRCF process are signed off by business unit Chief Executive Officers and Chief Financial Officers and compliance with the FRCF is reported to the Disclosure and the Audit Committees.

The Risk function as the second line of defence

The Risk function is accountable for the quantitative and qualitative oversight and challenge of the identification, measurement, monitoring and reporting of significant risks and for developing the RMF.

As the business responds to changing market conditions and customer needs, the Risk function regularly monitors the appropriateness of the Company’s risk policies and the RMF to ensure they remain up to date. This helps to provide assurance to the various risk oversight committees that there are appropriate controls in place for all core business activities, and that the processes for managing risk are understood and followed consistently across the Group.

The second line Risk function as a whole also includes the Compliance and Actuarial functions. The Actuarial function is accountable for Group wide actuarial methodology, reporting to the relevant governing body on the adequacy of reserves and capital requirements, and on the adequacy of underwriting and reinsurance arrangements. The Compliance function supports and advises the business on the identification, measurement and management of its regulatory, financial crime and conduct risks. It is accountable for maintaining the compliance standards and framework within which the Group operates, and monitoring and reporting on its compliance risk profile.

Internal Audit as the third line of defence


The Internal Audit function provides independent and objective assessment on the robustness of the RMF and the appropriateness and effectiveness of internal control and the adequacy of these systems to manage business risks and to safeguard the Group’s assets and resources to the Audit, Governance and Risk Committees, business unit Audit Committees and the Board.

The function has an Internal Audit Charter and Business Standard. The Charter sets out the purpose, functions, scope and responsibilities of the Internal Audit function and how it maintains independence from the first and second line management of the Group. The four main functions of Internal Audit are to:

  • Assess and report on the effectiveness of the design and operation of the framework of controls which enable risk to be assessed and managed.
  • Assess and report on the effectiveness of management actions to address deficiencies in the framework of controls.
  • Investigate and report on cases of suspected financial crime and employee fraud and malpractice.
  • Undertake designated advisory projects for management provided that they do not threaten the function’s actual or perceived independence from management.

The Internal Audit Business Standard sets out the requirements for management across the Group to support Internal Audit in achieving its objectives. It requires businesses to design and operate processes and controls to satisfy the mandatory requirements in the standard based on the size and complexity of the business and the nature of the risks and challenges it faces. Any breaches of the Standard must be reported to the CAO and others as appropriate.

Read the full report:  Aviva Plc 2017 internal audit charter  (122.5 KB)


Board oversight

The Risk Committee assists the Board in its oversight of risk and risk management across the Group and makes recommendations on risk appetite to the Board. The responsibilities and activities of the Risk Committee are set out in the Risk Committee Report.

The Audit Committee, working closely with the Risk Committee, is responsible for assisting the Board in discharging its responsibilities for the integrity of the Company’s financial statements, the effectiveness of the system of internal financial controls and for monitoring the effectiveness, performance and objectivity of the internal and external auditors. The responsibilities and activities of the Audit Committee are set out in the Audit Committee Report.