Our risk governance

Our risk governance

We govern risk through group-wide risk policies and business standards, risk oversight committees and clear roles, responsibilities and delegated authorities.

Our Board is responsible for setting the Group’s risk appetite and establishing procedures to manage risk and oversee the internal control framework.

The Board delegates day-to-day risk management to the Group CEO, who delegates operational aspects to executives within the Group through delegated authority letters.

Line management in the business is accountable for risk management, which together with the risk function and internal audit form our ‘three lines of defence’ of risk management.

Internal controls

Our internal controls facilitate:

  • effective and efficient business operations
  • the development of robust and reliable internal reporting
  • compliance with laws and regulations.

We assess our operational risks, and the adequacy and operating effectiveness of the controls implemented to manage and mitigate them, through operational risk and control self assessments, an integral part of the Group’s Operational Risk & Control Management (ORCM) framework.

We have a Group-wide reporting manual in relation to International Financial Reporting Standards (IFRS), Solvency II reporting requirements and a Financial Reporting Control Framework (FRCF).

FRCF relates to the preparation of reliable financial reporting, covering both IFRS and Solvency II reporting activity.

The FRCF process follows a risk-based approach, with management identification, assessment (documentation and testing), remediation (as required), reporting and certification over key financial reporting-related controls.

Management regularly undertake quality assurance procedures over the application of the FRCF process and FRCF controls.

Our Board delegates day-to-day management of our company and approval of specific issues up to set financial limits to our Group CEO. This includes limits on revenue and capital expenditure, reinsurance spend, and the settlement of claims. In turn the Group CEO delegates some of his authority to his direct reports. We have a similar delegated authority framework in place throughout the Group.

Our 3 lines of Defence


Management as the first line of defence.

Management are responsible for:

  • the implementation and application of our risk management framework
  • implementing and monitoring the operation of our system of internal control
  • primary responsibility for risk identification, measurement, management and reporting lies with management.

Our Group Executive Committee members and each business unit Chief Executive Officer are responsible for:

  • implementing our Group strategies, plans and policies
  • monitoring our operational and financial performance
  • assessing and controlling financial, business and operational risks
  • the maintenance and ongoing development of a robust control framework and environment in their areas of responsibility.

There are three group-level management committees designed to assist members of the Group Executive Committee in the discharge of their delegated authorities: 

  • Our Asset Liability Committee (ALCO) supports the CFO and Chief Capital Officer (CCO) in the discharge of the responsibility delegated to them to manage the Group’s balance sheet within the risk appetite set by the Board, capital allocation, capital management decisions and management of financial risks.
  • Our Executive Risk Committee (ERC) provides oversight, challenge, support and advice on the risk profile and exposure of the Group and its BUs in line with the applicable risk appetite framework and regulatory requirements. GERC is responsible for the development and ongoing maintenance of an effective risk management framework that is effective and proportionate to the nature, scale and complexity of the inherent risks.
  • Our Disclosure Committee supports the Group CEO and Group CFO in ensuring timely and accurate disclosures and announcements are made by the group to its security holders and the investment community. 

Each business unit must establish a local ALCO and a local ERC in line with the overall scope of the group-level committees, although recognising different group and business unit requirements.

Our Business Unit Chief Executive Officers and Chief Financial Officers sign off the results of our FRCF process, and report compliance with FRCF to the Disclosure and the Audit Committees.


The Risk function as the second line of defence, comprises the Risk Management, Actuarial and Compliance key control functions. 

Together they are responsible for the design and implementation of the Risk Management Framework (RMF) and reporting to the Board and Management on material risks identified and the effectiveness of the operation of the risk management system. It also provides independent oversight of first line risk taking. All key decisions must have the support of the Risk Management Function before proceeding and the CRO has the power of veto.

Our Actuarial function advises on key issues and judgments and the appropriateness of assumptions underlying the calculation of technical provisions. It owns the Solvency II internal model and its calibration, ensuring it remains fit for purpose.

Our Compliance function advises and reports on compliance with applicable laws and regulations, as well as material conduct, financial crime and regulatory risks, owning the frameworks to manage these risks.

Internal Audit

Internal Audit as the third line of defence and Independent of the second and third lines of defence, it evaluates the adequacy and effectiveness of the internal control system and system of governance, reporting its findings and recommendations to the Board and Management.

Read our Internal Audit Charter (PDF 65KB)