Capital & Risk Management: Business Resiliency

Our approach to business resiliency is designed to allow us to deliver on the Travelers Promise to take care of our customers, communities and employees in the face of unexpected disruptions. The Travelers Business Resiliency Program is our internal ecosystem focused on the goal of ensuring that we can operate consistently for our employees, agents and customers despite incidents and operational disruptions and, accordingly, continue to deliver for our shareholders. Our Business Resiliency Program takes a comprehensive approach that encompasses business continuity, disaster recovery and incident management. In accordance with our MISR process, which is described in the Enterprise Risk Management section, our Business Resiliency Program is supported by senior management with oversight by the Risk Committee of our Board of Directors. Our program focuses on both preventive measures (including technology availability design, facility resilience and business continuity training/awareness programs) and event response preparation (including contingency planning, technology restoration and incident management/emergency response).

The Travelers Business Resiliency Risk Committee, composed of members of our executive team, oversees the implementation of our Business Resiliency Program and, along with our management-level Enterprise Risk Committee, is charged with reviewing and approving mission-critical processes, identifying risks to business resiliency and facilitating decisions to accept, mitigate or remediate these risks.

Pursuant to its charter, the Risk Committee of our Board of Directors oversees “the strategies, processes and controls pertaining to business continuity and executive crisis management for the Company and its business operations.” In exercising its oversight, the Risk Committee of our Board meets annually with members of the Business Resiliency Risk Committee and the Enterprise Risk Committee to review the company’s business continuity, disaster recovery and incident management efforts. Among other things, the Risk Committee reviews the enterprise event response protocols, discusses how those protocols are triggered for business disruptive events and evaluates the lessons learned from past events. The Risk Committee also receives quarterly reports regarding cyber incidents, including those events affecting suppliers that may impact Travelers. In addition, the Risk Committee is regularly briefed on the steps taken to reduce future risk and improve our threat detection and response processes.

Business continuity

The primary objective of business continuity is to ensure that the company is prepared to respond to, and recover from, an unexpected business disruption. This requires a solid understanding of the risks to our operational structure and involves contingency planning and testing of hundreds of business processes across Travelers. We have inventoried our business processes and categorized them according to their criticality and urgency to the company, and we have tailored our resiliency measures accordingly.

Through annual risk reviews, which are facilitated centrally, each business function updates its business continuity contingency plans and business process mitigation strategies with respect to key operational aspects. These plans and strategies include specific recovery scenarios and detailed workarounds to be leveraged in the event of a disruption related to technology, facility, workforce or supplier issues. We conduct scenario-based simulation exercises to test the effectiveness of those plans and strategies.

In addition, as a fundamental part of our enterprise supplier management program, we identify supplier risks and mitigating controls, enabling the company to make informed decisions throughout the life cycle of a supplier relationship. Specifically, we assess the business continuity and disaster recovery risk of our suppliers to evaluate their overall business resiliency, recovery capabilities and limitations.

Disaster recovery

Our disaster recovery approach is designed to provide redundant infrastructure and platform solutions to enable our continued operation in the event of a disruption. We review solutions on a regular basis to ensure alignment with our business strategy. In addition, we perform disaster recovery testing on all of our mission-critical and supporting applications.

We inventory computing platforms with a plan to move to an alternate site, the specifics of which vary by application design and business criticality. We maintain technology availability standards to help ensure adequate designs are deployed and sufficient procedures are in place and tested to restore infrastructure, applications and data in the event of a disaster.

We conduct backups of production data from our primary facility to our alternate sites. Critical technology infrastructure is designed with levels of redundancy to support recovery from local, regional or broader geographic service disruption events.

Incident management

Incident management is the process of managing a company’s mitigation response in the event of an unexpected significant disruption or emergency. Our three key Incident Management teams are: the Executive Crisis Management Team (ECMT), the Enterprise Event Response Team (EERT) and the Operational Response Team (ORT).

The ECMT is composed of the Chairman and Chief Executive Officer, the Executive Vice President and Chief Administrative Officer, the Executive Vice President and Chief Technology & Operations Officer, and other executive representatives who may vary depending on the situation. The ECMT is responsible for making executive decisions and providing strategic direction during times of crisis.

The EERT is a core team that is responsible for monitoring and managing catastrophe events, underwriting and exposure, claim response and regulatory events that have the potential to adversely impact Travelers’ reputation, operations, earnings and/or capital. The EERT consults with other corporate groups through multiple channels to determine appropriate actions consistent with well-documented protocols. When escalation is required, the EERT and the ORT engage with the appropriate group of senior executives tasked with overseeing the execution of our incident management and emergency response plans related to the event.

Our integrated ORT is led by the Vice President of Corporate Security for health, security, safety and facility incidents or by functional leaders for other types of incidents, with support from the Business Resiliency Office. The ORT comes together to manage incidents, both planned and unplanned, providing a coordinated and facilitated response to situations of all types. The ORT is a group of employees from across the organization, prepared to come together before, during or shortly after an incident to ensure that we respond appropriately. The ORT may include representatives from Corporate Security, Corporate Real Estate, Technology & Operations, Cybersecurity, Business Continuity, Environmental Health and Safety, Legal Services, Human Resources, Corporate Communications, Supplier Management and other areas as deemed appropriate. The ORT has well-documented emergency response procedures and conducts regular training, scenario planning and exercises in anticipation of potential emergency scenarios. Travelers maintains incident-specific playbooks covering protocols for various scenarios, including a pandemic, natural disaster, data center outage and cybersecurity incident.