Overview of our BCM
Munich Re Service GmbH and Munich Re has implemented the Business Continuity Management System (BCMS) to achieve the Business Continuity Management (BCM) concept. BCM contains the following elements:
- Continuity & Recovery management ensures the timely resumption of prioritized business operations and resources after reduction or shutdown (continuity and recovery) and return to normal operations (restore).
- Emergency management is a process with defined management teams (emergency management teams) at one or multiple locations or for a legal entity or entities.
- Crisis management is a global, segment-wide management process with a defined management team (crisis management team) that maintains the segment’s ability to act in a potential or acute crisis.
The BCM documentation is organized in a three-layer hierarchy. Each layer defines a different level of granularity regarding the document’s content:
- BCM Policy defines the scope of BCM and describes organizational aspects.
- BCM Guidelines define minimum binding requirements for the legal entities in scope. The requirements are aligned with international standards and regulatory requirements for BCM at a tangible level of detail.
- BCM Work Instructions define detailed responsibilities and procedures for fulfilling the minimum requirements as defined in the BCM Guidelines.
The concept of BCM is operationalized through the BCMS. The latter executes the company-wide standards for governance and organization, planning, implementation, evaluation, monitoring, reporting, and improvement using the Plan-Do-Check-Act (PDCA) cycle.
The first stage — Plan — involves governance and organization activities such as defining the scope, outlining the policy framework, designating the roles and responsibilities, and more.
The second stage — Do — accomplishment of conception and implementation activities in emergency and crisis management and continuity and recovery management.
The third stage — Check — performing validation activities such as tests and exercises, management reporting, review and access, and monitoring and controlling.
The fourth stage — Act — includes continuous improvement activities like lessons learned, correction and improvement.
Identification of the process criticality
We use a global process landscape (PLS) for conducting the Business Impact Analysis (BIA) to identify the process criticality. BIA takes place at the second stage of the PDCA cycle in the scope of continuity and recovery management. It helps determine a company’s critical processes and required resources (for instance, IT buildings and premises, personnel, and third parties).
The BIA aims to:
- Identify the processes and resources critical for maintaining the continuity of services.
- Determine the requirements and resource needs for maintaining operational capability.
- Identify possible BCM scenarios based on prioritized risks.
The requirements and disruption scenarios identified by the BIA define overarching Business Continuity Strategies (BC Strategies). BIAs are reviewed annually or ad-hoc, in case of major organizational changes.
Product-related BCM
Business Continuity Management is our commitment to continuity. We regularly conduct risk assessments, business impact analysis, and implement backup and recovery solutions to ensure critical business functions can continue or be restored in case of disruptions or disasters. Such approach helps minimize downtime and maintains business resilience.
Our products and solutions are hosted on the Microsoft Azure cloud and use its built-in mechanisms for data backup and restore procedures, according to the shared responsibility model. To prevent data loss in case of large-scale service failure or disaster, Azure uses cross-region replication, distributing backup copies between two regions in the same geography. To protect against accidental deletion of data, Microsoft takes point-in-time backups in Azure.
Backup concept
Database backups help protect data from corruption or deletion, enabling data restore to a point in time within the configured retention period.
Business Impact Analysis (BIA) defines the following backup minimum requirements that could be reached:
- Maximum Tolerable Downtime (MTD)
- Recovery Time Objective (RTO)
- Recovery Point Objective (RPO)
Backup and restore procedures
Full, differential incremental, and transaction log backups are performed and stored geo redundant within the EU. All backups are encrypted (during the process, in transit and at rest). Encryption is done independently of the data criticality. Backup restore tests are performed every year.
Full, differential incremental, and transaction log backups are performed, as described in the following table.
| Type | Description |
|---|---|
| Full backup | Encompasses all data and allows for the complete restoration of data or systems in one step. The full backup is a complete dump of your database including everything present in the database and transaction log file. |
| Differential incremental backup | Represents the delta since the last backup of any type. |
| Transaction log backup | Captures the log records from the transaction log file. It is also used for point-in-time recovery. |
We use Microsoft Azure cloud and its built-in mechanisms for data backup and restore procedures, according to the shared responsibility model. For detailed information about the shared responsibility model, refer to the article Third-party management.