Our risk governance

Our risk governance

We govern risk through group-wide risk policies and business standards, risk oversight committees and clear roles, responsibilities and delegated authorities.

Our Board is responsible for setting the Group’s risk appetite and establishing and operating controls to assess and manage the risks.

The Board delegates day-to-day risk management to the Group CEO, who delegates operational aspects to executives within the Group through delegated authority letters.

Line management in the business is accountable for risk management, which together with the risk function and internal audit form our ‘three lines of defence’ of risk management.

Internal controls

Our internal controls facilitate:

  • effective and efficient business operations
  • the development of robust and reliable internal reporting
  • compliance with laws and regulations.

We assess our operational risks, and the adequacy and operating effectiveness of the controls implemented to manage and mitigate them, through operational risk and control self assessments, an integral part of the Group’s Operational Risk & Control Management (ORCM) framework.

We have a Group-wide reporting manual in relation to International Financial Reporting Standards (IFRS), Solvency II reporting requirements and a Financial Reporting Control Framework (FRCF).

FRCF relates to the preparation of reliable financial reporting, covering both IFRS and Solvency II reporting activity.

The FRCF process follows a risk-based approach, with management identification, assessment (documentation and testing), remediation (as required), reporting and certification over key financial reporting-related controls.

Management regularly undertake quality assurance procedures over the application of the FRCF process and FRCF controls.

Our Board delegates day-to-day management of our company and approval of specific issues up to set financial limits to our Group CEO. This includes limits on revenue and capital expenditure, reinsurance spend, and the settlement of claims. In turn the Group CEO delegates some of his authority to his direct reports. We have a similar delegated authority framework in place throughout the Group.


Management as the first line of defence

Management are responsible for:

  • the application of our risk management framework
  • implementing and monitoring the operation of our system of internal control
  • providing assurance to the Audit Committee, the Risk Committee, the Customer, Conduct and Reputation Committee and the Board.

Our Group Executive Committee members and each business unit Chief Executive Officer are responsible for:

  • implementing our Group strategies, plans and policies
  • monitoring our operational and financial performance
  • assessing and controlling financial, business and operational risks
  • the maintenance and ongoing development of a robust control framework and environment in their areas of responsibility.

There are three group-level management committees designed to assist members of the Group Executive Committee in the discharge of their delegated authorities: 

  • Our Asset Liability Committee (ALCO) is chaired by our Chief Capital Officer (CCO). It helps the CFO meet his responsibility to manage our Group’s Balance Sheet and liquidity within risk appetite. It also provides financial and insurance risk management oversight.
  • Our Operational Risk Committee is chaired by the Chief Financial Officer (CFO). It supports the first line owners of key operations in overseeing the Group’s operational risk profile, monitor specific operational and conduct risks and the risks impacting the Group's reputation and take appropriate action as and when required.
  • Our Disclosure Committee is chaired by the CFO. Its role is to support the Group CEO and Group CFO in ensuring timely and accurate disclosures and announcements are made by the group to its security holders and the investment community. 

Each business unit must establish a local ALCO and a local ORC in line with the overall scope of the group-level committees, although recognising different group and business unit requirements.

Our Business Unit Chief Executive Officers and Chief Financial Officers sign off the results of our FRCF process, and report compliance with FRCF to the Disclosure and the Audit Committees.


The Risk function as the second line of defence

The Risk function is accountable for the quantitative and qualitative oversight and challenge of the identification, measurement, monitoring and reporting of significant risks and for developing the Risk Management Framework (RMF).

As we respond to changing market conditions and customer needs, the Risk function regularly monitors the appropriateness of our risk policies and the RMF to keep them up to date. This helps to provide assurance to risk oversight committees that we have appropriate controls for all core business activities, and our processes for managing risk are understood and followed consistently across the Group.

The second line Risk function also includes our Compliance and Actuarial functions.

Our Actuarial function is accountable for Group-wide actuarial methodology. It reports to the relevant governing body on the adequacy of our reserves and capital requirements, and on the adequacy of our underwriting and reinsurance arrangements.

Our Compliance function supports and advises the business on the identification, measurement and management of its regulatory, financial crime and conduct risks. It is accountable for maintaining our compliance standards and framework, and monitoring and reporting on its compliance risk profile.

Two men discussing work on laptop

Internal Audit

Internal Audit as the third line of defence

The Internal Audit function gives independent and objective assessment on:

  • the robustness of our RMF
  • the appropriateness and effectiveness of our internal control
  • the adequacy of these systems to manage business risks and safeguard our assets and resources.

It reports to our Group Audit, Customer, Conduct and Reputation and Risk Committees, business unit Audit Committees and the Board.

The Internal Audit function has an Internal Audit Charter and Business Standard. The Charter sets out the function’s purpose, scope and responsibilities and how it maintains independence from the first and second line management of the Group.

The four main functions of Internal Audit are to:

  • assess and report on the effectiveness of the design and operation of our framework of controls to assess and manage risk
  • assess and report on the effectiveness of our management actions to address deficiencies in the framework of controls
  • investigate and report on cases of suspected financial crime and employee fraud and malpractice
  • undertake designated advisory projects for management provided that they do not threaten the function’s actual or perceived independence from management.

The Internal Audit Business Standard sets out how our managers support Internal Audit to achieve its objectives. It requires businesses to design and operate processes and controls to satisfy their mandatory requirements in the Standard based on the size and complexity of their business, and nature of the risks and challenges it faces. Any breaches of the Standard must be reported to the Chief Audit Officer (CAO) and others as appropriate.

Read our internal audit charter (PDF 211KB)

Board oversight

Our Risk Committee helps the Board oversee risk and risk management across the Group, and makes recommendations on risk appetite to the Board.

Our Customer, Conduct and Reputation Committee role is to assist the Board in shaping the culture and ethical values of the Group through overseeing and advising on conduct, reputation and culture matters.

Our Audit Committee, working closely with our Risk Committee, assists the Board to meet its responsibilities for:

  • the integrity of our financial statements
  • the effectiveness of our system of internal financial controls
  • monitoring the effectiveness, performance and objectivity of our internal and external auditors.

The responsibilities and activities of the RiskCustomer, Conduct and Reputation and Audit Committees are set out in their respective Committee Reports in the Annual Report and Accounts.

You can also read more about specific risks that Aviva faces and how we mitigate them in the Risk and risk management section of the Annual Report and Accounts.