Our risk governance

Our risk governance

We govern risk through group-wide risk policies and business standards, risk oversight committees and clear roles, responsibilities and delegated authorities.

Our Board is responsible for setting the Group’s risk appetite and establishing procedures to manage risk and oversee the internal control framework. A summary of the Board Risk committee’s activities can be found in our Annual Report and Accounts, which you can find on our reports page.

The Board delegates day-to-day risk management to the Group Chief Executive Officer (Group CEO), who delegates operational aspects to executives within the Group through delegated authority letters.

Line management in the business is accountable for risk management, which together with the risk function and internal audit form our ‘three lines of defence’ of risk management.

You can read more about our approach to risk in our Annual Report and Accounts, which you can find on our reports page.

Internal controls

The Group’s system of internal controls facilitates the effective management of risks faced by and arising from its business operations, including compliance with regulations. The Group’s suite of business standards sets out Aviva’s required control objectives and minimum control requirements for effective internal control throughout the Group. These control objectives include:

  • the business demonstrating a commitment to integrity and ethical behaviour and promotes Aviva’s desired culture and values, including in relation to risk and control;
  • reducing future losses and detriment to customers arising from failures in operational risk management and controls; and
  • supporting reliable reporting on the operational risk and control environment at all levels of the business, to increase the confidence of the Board, Regulator and Customers in the effectiveness and efficiency of our operational processes.


Our 3 lines of Defence


Management is the first line of defence.

Management are accountable for:

  • the implementation and application of our risk management framework
  • implementing and monitoring the operation of our system of internal control
  • primary responsibility for risk identification, measurement, management and reporting lies with management.

Our Group Executive Committee members and each business unit Chief Executive Officer are accountable for:

  • implementing our Group strategies, plans and policies
  • monitoring our operational and financial performance
  • assessing and controlling financial, business and operational risks
  • the maintenance and ongoing development of a robust control framework and environment in their areas of responsibility.

There are three group-level management committees designed to assist members of the Group Executive Committee in the discharge of their delegated authorities: 

  • Our Asset Liability Committee (ALCO) supports the Group Chief Financial Officer (Group CFO) and Chief Capital Officer (CCO) in the discharge of the responsibility delegated to them to manage the Group’s balance sheet within the risk appetite set by the Board, capital allocation, capital management decisions and management of financial risks.
  • Our Executive Risk Committee (ERC) provides oversight, challenge, support and advice on the risk profile and exposure of the Group and its BUs in line with the applicable risk appetite framework and regulatory requirements. The Group ERC is responsible for the development and ongoing maintenance of an effective risk management framework that is effective and proportionate to the nature, scale and complexity of the inherent risks.
  • Our Disclosure Committee supports the Group CEO and Group CFO in ensuring timely and accurate disclosures and announcements are made by the group to its security holders and the investment community. 

Each business unit must establish a local ALCO and a local ERC in line with the overall scope of the group-level committees, although recognising different group and business unit requirements.


The Risk function as the second line of defence is accountable for the design and implementation of the Risk Management Framework (RMF) and reporting to the Board and Management on material risks identified and the effectiveness of the operation of the risk management system. It also provides independent oversight of first line business operations. All key decisions must have the support of the Risk Management Function before proceeding and the Chief Risk Officer has the power of veto.

Internal Audit

Internal Audit, as the third line of defence and independent of the first and second lines of defence, is responsible for assessing and reporting on the effectiveness of the design and operation of the framework of internal controls, which enables risk to be assessed and managed appropriately.

Read our Internal Audit Charter (PDF 248KB)