Capital & Risk Management: Business Resiliency

The Travelers Business Resiliency Risk Committee, composed of members of our executive team, oversees the implementation of our Business Resiliency Program and, along with our management-level Enterprise Risk Committee, is charged with reviewing and approving mission-critical processes, identifying risks to business resiliency and facilitating decisions to accept, mitigate or remediate these risks.

Pursuant to its charter, the Risk Committee of our Board of Directors oversees “the strategies, processes and controls pertaining to business continuity and executive crisis management for the Company and its business operations.” In exercising its oversight, the Risk Committee of our Board meets annually with members of the Business Resiliency Risk Committee and the Enterprise Risk Committee to review the company’s business continuity, disaster recovery and crisis management efforts. Among other things, the Risk Committee reviews the enterprise event response protocols, discusses how those protocols would be (and were) triggered for events ranging from catastrophes to local shootings to bomb threats and evaluates lessons learned from actual events, such as the COVID-19 pandemic. The Risk Committee also receives quarterly reports regarding cyber incidents, including those events affecting suppliers that may impact Travelers. In addition, the Risk Committee is regularly briefed on the steps taken to reduce future risk and improve our threat detection and response processes.

Business continuity

The primary objective of business continuity is to ensure that the company is prepared to respond to, and recover from, an unexpected disruption. This requires a solid understanding of the risks to our operational structure and involves contingency planning and testing of hundreds of business processes across Travelers. We have inventoried our business processes and categorized them according to their criticality and urgency to the company, and we have tailored our resiliency measures accordingly.

Through annual risk reviews, which are facilitated centrally, each business function updates its resiliency plans with respect to key operational aspects. The plans include specific recovery scenarios and detailed workaround plans to be leveraged in the event of a disruption related to technology, facility, workforce or supplier issues. We also conduct validation exercises to test the effectiveness of those plans.

In addition, as a fundamental part of our enterprise supplier management program, we identify supplier risks and mitigating controls, enabling the company to make informed decisions throughout the life cycle of a supplier relationship. Specifically, we assess the business continuity and disaster recovery risk of our suppliers to evaluate their overall business resiliency, recovery capabilities and limitations. And we create contingency plans detailing how the company will continue to operate if a supplier becomes unavailable.

Disaster recovery

We base our approach to disaster recovery on a model that provides redundant infrastructure and application and platform solutions designed to enable continued operation in the event of a disruption. We review these solutions on a regular basis to ensure that they continue to align with our business strategy. In addition, on an annual basis, we perform disaster recovery testing on all of our mission-critical and supporting applications.

We inventory computing platforms with a plan to move to an alternate site, the specifics of which vary by application design and business criticality. We maintain technology availability standards to help ensure adequate designs are deployed and sufficient procedures are in place and tested to restore infrastructure, applications and data in the event of a disaster.

We perform backups of production data from our primary facility to our alternate sites. Critical technology infrastructure is designed with sufficient levels of redundancy to support recovery from local or geographic service disruption events.

Crisis management

Our Crisis Management Operating Model includes two teams: the Operational Response Team (ORT) and the Enterprise Event Response Team (EERT).

Our integrated ORT comes together to manage events, both planned and unplanned, providing a coordinated and facilitated response to situations of all types. The ORT is a group of employees from across the organization, prepared to come together before, during or shortly after an event to ensure that we respond appropriately. The ORT manages corporate security, real estate, technology, cyber, business continuity, and environmental health and safety events. The ORT also maintains well-documented emergency response procedures and conducts regular training, scenario planning and exercises in anticipation of potential emergency scenarios. Travelers has event-specific playbooks covering protocols for various scenarios, including a pandemic, natural disaster, data center outage and cybersecurity incident. Roles and responsibilities of team members are clearly defined, enabling an efficient response to a national crisis or a technology, worksite, workforce or supplier event.

The EERT is a core team that is responsible for monitoring and managing catastrophe events, underwriting and exposure, claim response and regulatory events that have the potential to adversely impact Travelers’ reputation, operations, earnings and/or capital. The EERT consults with other corporate groups through multiple channels to determine appropriate actions consistent with well-documented protocols. When escalation is required, the ORT and the EERT engage with the appropriate group of senior executives tasked with overseeing the execution of our crisis management and emergency response plans related to the event.