BaFin Circular 09/2025 on Minimum Governance Requirements for Solvency II Insurance Undertakings

StartseiteUeberschrift

Companies & Markets

Law & Regulation

Ad­min­is­tra­tive practice

Circulars

Minimum Requirements under Supervisory Law on the System of Governance of Insurance Undertakings under Solvency II (Aufsichtsrechtliche Mindestanforderungen an die Geschäftsorganisation von Versicherungsunternehmen unter Solvabilität II – MaGo für SII- VU )

14.01.2026

1 Objectives of the Circular

1 This Circular provides guidelines on interpreting the provisions concerning the system of governance in the German Insurance Supervision Act ( Versicherungsaufsichtsgesetz – VAG ) and in Delegated Regulation ( EU ) 2015/35 (Delegated Regulation). It establishes a binding interpretation of these requirements for BaFin and hence ensures consistent application to all undertakings and groups. Within the applicable regulatory requirements, undertakings are responsible for determining an appropriate structure for their system of governance. They can implement the requirements in a proportional and principle-based manner.

2 Scope and definitions

2 The Circular addresses the Solvency II supervisory regime. It applies to all primary insurers and reinsurers whose registered office is in Germany or in a third country under section 1 (1) no. 1 in conjunction with section 7 no. 33 or section 7 no. 34 in connection with no. 6 of the VAG (referred to hereafter as “undertakings”), unless they are death benefit funds under section 218 (1) of the VAG , Pensionskassen under section 232 (1) of the VAG or small insurance undertakings under section 211 of the VAG . This Circular does not apply to reinsurance undertakings that meet the conditions set out in section 165 (1) of the VAG , or to primary insurers and reinsurers that meet the conditions set out in section 343 of the VAG .

3 This Circular applies accordingly at group level, provided that the group supervision requirements under section 245 et seq. in conjunction with section 275 (1) sentence 1 of the VAG apply.

4 Insurance holding companies and mixed financial holding companies that themselves conduct insurance business also fall within the scope of this Circular (section 293 (1) sentence 2 of the VAG ). With the exception of sections 27, 28 and 31 of the VAG , the provisions of the VAG on the system of governance apply accordingly to those undertakings that do not themselves conduct insurance business (section 293 (1) sentence 1 of the VAG ). In this respect, the specifications provided in this Circular apply accordingly.

5 The terms “governance system” and “system of governance” are used throughout this Circular. These terms are synonymous with each other.

6 The term “management board” refers to the management board of an undertaking. Insofar as undertakings under public law or undertakings in the legal form of a European Company ( SE ) or insurance holding companies and mixed financial holding companies that fall within the scope of this Circular do not have a governing body with this title, the corresponding management body takes the place of the management board. The corresponding supervisory body takes the place of the supervisory board under the same conditions. In the case of branches of undertakings whose registered office is outside the European Economic Area, the authorised agent takes the place of the management board.

3 Relationship of the Circular to the EIOPA Guidelines and other publications, entry into force

7 BaFin bases its interpretation of the relevant provisions of the VAG and the Delegated Regulation on the EIOPA Guidelines on System of Governance ( EIOPA -BoS-14/253 EN), unless it has declared with regard to individual guidelines that it does not apply them in full.

8 As regards the requirements related to the fit and proper assessment of the professional qualifications and good repute of persons who effectively run an undertaking or have other key tasks and the related notification requirements, reference is made to Circular 9/2023 ( VA ) on the fit and proper assessment of the professional qualifications and good repute of members of the management board in accordance with the Insurance Supervision Act, Circular 10/2023 ( VA ) on the fit and proper assessment of the professional qualifications and good repute of members of administrative or supervisory bodies in accordance with the Insurance Supervision Act, and Circular 11/2023 ( VA ) on the fit and proper assessment of the professional qualifications and good repute of individuals responsible for key functions or who carry out key functions, in accordance with the Insurance Supervision Act.

9 Any specific requirements that BaFin imposes in other publications on undertakings’ system of governance remain unaffected by the requirements set out in this Circular. The scope of any other publication that may differ from this Circular remains unaffected by the scope of application of this Circular.

10 This applies in particular to requirements regarding the system of governance in accordance with:

Circular 05/2025 ( VA ) – Prudent Person Principle (PPP) of Insurance Undertakings under Solvency II (PPP Circular), Circular 11/2018 ( VA ) – Cooperation with Insurance Intermediaries and Risk Management in Distribution, Circular 6/2018 – Minimum Requirements for Complaints Management, amended on 23 January 2020, Circular 3/2016 ( VA ) – Trustee for Monitoring of the Guarantee Assets ( Sicherungsvermögen ), Circular 3/2013 ( VA ) – Minimum Requirements for Complaints-Handling by Insurance Undertakings, Interpretative decision of 20 December 2016 – Aspects of remuneration (Article 275 of Delegated Regulation ( EU ) 2015/35), Interpretative decision of 30 August 2016 – Conduct of reinsurance business in Germany by insurers domiciled in third countries, Interpretative decisions of 23 December 2015 – ORSA , Interpretative decision of 23 October 2013, amended on 24 April 2014 – Guidance on the use of external ratings and on making own credit risk assessments, Guidance Notice on Dealing with Sustainability Risks of 20 December 2019, amended on 13 January 2020 and Supervisory Statement – Guidance on outsourcing to cloud service providers of February 2024.

11 Regulation ( EU ) 2022/2554 on digital operational resilience in the financial sector ( DORA ) and Regulation ( EU ) 2024/1689 laying down harmonised rules on artificial intelligence ( AI Regulation) set out sector-specific regulatory requirements and create a harmonised framework for dealing with information and communication technology ( ICT ) risks and risks arising from AI . The interpretative guidance contained in this Circular relates to the general processes of the governance system. Insofar as the general aspects of the governance system are relevant to meeting the specific requirements of the AI Regulation and DORA , the interpretative guidance in this Circular remains authoritative. In this respect, the section of this Circular dealing with automated business processes combines the general national regulations on systems of governance with the specific technical requirements of DORA and the AI Regulation.

12 This Circular comes into force on 14 October 2025. At the same time, Circular 02/2017 ( VA ) will be abrogated.

4 Principle of proportionality

13 The principle of proportionality plays a significant role in the implementation of the governance system requirements. The requirements must be met in a way that is proportionate to the nature, scale and complexity of the risks inherent in the business of the undertaking (section 296 (1) of the VAG ). The proportionality principle is therefore linked to the individual risk profile of the undertaking. A smaller undertaking may indicate a lower risk profile, while the converse is also true. Insofar as the number of staff can play a role in determining an undertaking’s size, it is not the number of existing staff that is crucial, but the actual requirement for staff. This also includes the requirement for staff at service providers in connection with outsourcing. Accordingly, external staff must also be considered.

14 Proportionality affects how requirements can be met. For example, a less pronounced risk profile can result in simplified implementation requirements, whereas a more pronounced risk profile makes implementation requirements more demanding. The assessment of which arrangement can be considered to be proportionate can only be made in the specific context and is not static, but may evolve over time in response to changing circumstances. This is why, when circumstances change, the undertaking must examine whether and how the existing structures and processes can or may have to be enhanced.

5 Overall responsibility of the management board

15 All members of the management board are responsible for ensuring a proper and effective system of governance. The full management board is therefore also responsible for ensuring that the undertaking has an appropriate and effective risk management and internal control system in place. The overall responsibility of the management board is applicable irrespective of whether an allocation of competences is carried out. Where the requirements of this Circular expressly relate to executive tasks of the full management board, the board cannot delegate its responsibility for these tasks, not even to one or more of its members.

6 Material risks

16 According to the principle of materiality, only those material risks to which the undertaking is actually or may potentially be exposed must be considered. As a matter of principle, the risks that are to be classified as material must be determined individually for each undertaking, in accordance with the framework of the legal requirements and supervisory provisions. By way of exception, however, a standardised set of classification rules applicable to all undertakings may be more appropriate than an undertaking-specific approach (see margin no. 35).

17 The full management board determines individual materiality thresholds appropriate to the risk profile based on suitable and comprehensible criteria. The appropriateness of these thresholds must be ensured on an ongoing basis. To this end, both regularly and on an event-driven basis, the full management board obtains an overview of all risks, including sustainability risks, to which the undertaking is actually or may potentially be exposed. The materiality thresholds and the criteria for determining them must be set out in writing.

18 All undertakings must establish separate materiality thresholds for the following risk categories at a minimum: underwriting risk, market risk, credit risk, liquidity risk and operational risk. In accordance with margin no. 17, further undertaking-specific materiality thresholds can be determined, irrespective of whether the respective risks can be assigned to further risk categories ( e.g. political, strategic or reputational risks). Accordingly, separate materiality thresholds may also be required in individual cases for concentration risks and sustainability risks within the meaning of Article 1(55c) of the Delegated Regulation (see also BaFin ’s Guidance Notice on Dealing with Sustainability Risks).

19 The criteria for determining materiality thresholds must not be based solely on the impact in terms of accounting or the impact of legal violations.

20 The management board must ensure that the materiality thresholds are applied consistently.

7 Risk culture

21 A risk culture actively supported within an undertaking forms the basis for an effective risk management system that is appropriate to the undertaking’s risk profile. It includes the following in particular:

establishing a common understanding of the undertaking’s own risks, including sustainability risks, and how to deal with these risks; this must be ensured for all persons at all hierarchical levels – at least to the extent that they deal or could deal with the risks – and must be expressed in a common risk language; determining responsibilities in respect of dealing with risks, which includes at least the persons responsible for the build-up, identification, assessment, monitoring and management of material risks; assessing whether and which incentive structures are appropriate for dealing with risks in the undertaking and whether such structures will be introduced; encouraging an open dialogue among all individuals concerned in the undertaking on how to deal with risks so that all persons receive the information relevant to them in a timely manner.

22 The risk culture must be appropriate to the risk profile. It is reflected in the undertaking’s standards and in the attitudes and behaviour of its staff. The risk culture affects the undertaking’s risk awareness, risk appetite, risk management and risk control system and is reflected in its documentation and written policy.

23 The full management board must promote the risk culture. In this context, it serves as an example (“tone at the top”). The full management board ensures that the risk culture is communicated within the undertaking, is adhered to in the build-up of risks and is linked to the risk management system and the internal controls.

24 Appropriate evaluation processes must be provided for in order to ensure that shortcomings in the risk culture are identified at an early stage. For this purpose, the undertaking can draw on processes that must be set up due to other requirements. Any shortcomings found must be remedied by appropriate measures.

8 Requirements for the system of governance at group level

25 The supervisory requirements for the system of governance at undertakings apply accordingly at group level in accordance with section 275 (1) sentence 1 in conjunction with section 23 et seq. of the VAG . There are also group-specific requirements. The risk management systems, internal control systems and reporting systems of all the undertakings included in group supervision must be appropriately and effectively managed and monitored at group level.

26 The full management board of the undertaking responsible for fulfilling the requirements at group level is responsible for setting up a proper system of governance at group level, including the monitoring and management of the undertakings of the insurance group that are included in group supervision. The responsibility for the overall monitoring and management of affiliated undertakings within the insurance group, under company law relating to groups, arises from general company law. The supervisory responsibility under insurance law and the monitoring and management responsibility under general company law extend to all affiliated companies in Germany and abroad, including non-insurance undertakings. For example, as part of group risk management, the undertaking responsible for fulfilling the requirements at group level must also take into account the group risks emanating from foreign and non-insurance undertakings, without these undertakings themselves having to maintain the governance system of an insurance undertaking under Solvency II.

27 The undertaking responsible for fulfilling the requirements at group level must establish a group-wide internal control system that ensures an effective information flow at insurance group level, appropriate to the risk profile of the group. This requires sufficient, reliable and timely information for at least all of the decisions material to the group. The information flow must be ensured within the undertaking responsible for fulfilling the requirements at group level and between this undertaking and the undertakings belonging to the group. The possibilities for the exchange of information within the group under section 276 (1) and (2) of the VAG must be utilised comprehensively.

28 The undertaking responsible for fulfilling the requirements at group level must implement an appropriate holistic risk culture also at the level of the group (see section 7).

29 In order to ensure fulfilment of the requirements at group level, the undertaking responsible for fulfilling the requirements at group level must make use of the existing possibilities under company law for exerting influence. Insofar as the fulfilment of the governance requirements at group level is in conflict with the possibilities under company or capital market law, the undertaking responsible for fulfilling these requirements and the group undertakings must be aware of this and take appropriate measures to ensure that the requirements are met. All undertakings subject to group supervision must cooperate to ensure that the governance requirements are met at group level (section 246 (3) of the VAG ).

30 Within the applicable regulatory requirements, undertakings are responsible for appropriately implementing the governance system requirements at group level. The undertaking responsible for fulfilling the requirements at group level must promote consistent implementation within the group, for example through a joint group committee for coordination within the group. If smaller legal entities of a group are not represented in these intra-group coordination processes, they must be informed by other means about measures that are significant for them and, if necessary, give their consent separately.

9 General system of governance requirements

9.1 Organisational and operational structure

9.1.1 General information

31 Undertakings must decide which specific organisational structure is suitable for them, giving due consideration to their risk profile and the scope of the requirements to be met.

9.1.2 Determining tasks, responsibilities and reporting lines

32 A transparent organisational structure appropriate to the undertaking’s risk profile requires a clear definition and segregation of tasks and responsibilities. There must be clear rules in place regarding who is responsible for tasks in the undertaking and who is accountable for decisions.

33 Rules on representation and reporting lines must also be clearly defined in addition to the tasks and responsibilities. It must be ensured that all persons in the undertaking receive any information concerning them without delay and are able to recognise its significance, and that the exercise of the relevant task or responsibility is guaranteed at all times.

9.1.3 Appropriately segregating responsibilities

34 The organisational structure of an undertaking must provide for a segregation of responsibilities, up to and including the level of the management board, that is appropriate to the undertaking’s risk profile. The overall responsibility of the management board under margin no. 15 remains unaffected by this.

35 The key aspect of the principle of segregation is that units responsible for the build-up of material risk positions may not at the same time be responsible for the monitoring and control of these risks. The build-up of material risk positions occurs at least in the underwriting, investment and distribution units. The specific implementation of this principle may depend on the situation of the undertaking, taking into account the principle of proportionality. However, this principle may only be deviated from on a case-by-case basis; it must be ensured that possible conflicts of interest are countered by accompanying measures. The accompanying measures to be taken depend on the nature of the respective conflict of interest. For example: by way of exception, in the event of a lower risk profile and if appropriate and effective accompanying measures are in place, it is possible for a member of the management board to be responsible both for distribution and – either alone or together with the other members of the management board – for risk management. Accompanying measures include the dual control principle, separate reporting lines and the establishment of accompanying committees.

36 Even if there is no conflict between risk build-up and risk monitoring, the principle of segregation must be observed if one person performs several functions at the same time.

9.1.4 Determining rules and regulations on the operational structure

37 The operational structure must ensure that risk-bearing processes and their interfaces are appropriately managed and monitored. This requires, first of all, that all processes be assessed from a risk perspective.

38 The range of risk-bearing processes extends beyond the units in which material risk positions are built up (margin no. 35). All undertakings have risk-bearing processes in the units in which material risk positions are built up, i.e. at least in the risk underwriting, investment and distribution units (margin no. 35), as well as in the units for reserving (under both Solvency II and the German Commercial Code ( Handelsgesetzbuch – HGB )), asset-liability management ( ALM ) and ceded reinsurance management. Ensuring the appropriate management and monitoring of the risk-bearing processes identified requires a clear definition of the individual steps of these processes, including the necessary control activities as defined by the internal control system, and – if necessary – of the escalation steps, the process-specific areas of responsibility and accountability and the information flows.

39 Control activities generally do not require the implementation of comprehensive controls following each individual process step. However, particularly those process steps that involve risks must always be identified and checked on a regular basis.

9.1.5 Implementing rules and regulations on the operational structure

40 To ensure the proper performance of their tasks, it is important that all relevant staff know the work procedures relevant to them; i.e. they must be informed in this regard and be familiar with the relevant content.

9.1.6 Documenting the organisational and operational structure

41 The documentation of the organisational and operational structure must be kept up-to-date at all times. Previous versions must be archived for a minimum of six years.

9.1.7 Special aspects regarding groups

42 An organisational and operational structure appropriate to the risk profile at group level includes, among other things, an efficient and transparent organisational structure, clear allocation and segregation of responsibilities appropriate to the risk profile and setting up controls and communication channels within the group. This applies in particular to the undertaking responsible for fulfilling the requirements at group level. This undertaking must also set up control and monitoring processes appropriate to its risk profile that effectively include its affiliated undertakings. Responsibility for the implementation of process-integrated controls and of the controls and monitoring activities of key functions at group level must be clearly defined. The responsibilities and associated processes for managing the group tasks must be clearly documented.

43 The full management board of the undertaking responsible for fulfilling the governance requirements at group level must have sufficient knowledge of the internal organisation of the group, the business models of the various undertakings, the links and relationships between them and the risks resulting from the group structure.

44 If changes occur in the group structure, it may be necessary to make adjustments to the organisational and operational structure both at group level and at the level of the individual undertakings. It may be necessary, for instance, to redefine responsibilities and reporting lines.

45 Responsibility for adjustments to the organisational and operational structure at group level lies with the management board of the undertaking responsible for fulfilling the requirements at group level.

46 Responsibility for adjustments to the organisational and operational structure at the level of an individual undertaking lies with the management board of the relevant undertaking. The requirements of the undertaking responsible for fulfilling the requirements at group level may have to be observed and implemented individually for each undertaking as necessary.

9.2 Management board and supervisory board

47 The governance system of an undertaking includes processes for the regular and ad hoc transmission of information and reports from the organisational units and functions to the management board. On this basis, and in consultation with relevant advisers, the management board carries out its executive tasks and makes its decisions. The processes set up to ensure that staff are notified of decisions relevant to them in such a way that these can be implemented in full are equally as important as the processes for transmitting information and reports to the management board.

48 The supervisory board actively exercises the rights of information, inspection and review granted to it for the purpose of fulfilling its duties and advises the management board on strategic and other issues. This does not affect section 210 of the VAG .

49 The responsibility of the full management board does not release the supervisory board from its duty to check whether the full management board has set up a proper and effective system of governance with regard to the internal control system, the risk management system and the internal audit function.

9.2.1 Group level

50 The management board of the undertaking responsible for fulfilling the governance requirements at group level interacts as necessary with the management boards of the undertakings within the group.

9.2.2 Dual control principle

51 Undertakings must ensure that they are effectively run by at least two persons. This implies that a minimum of two persons who effectively run the undertaking are involved in every material decision taken by the undertaking before the relevant decision is implemented.

52 Undertakings are responsible for making the initial assessment as to whether, in addition to the members of the management board, there are other persons in the undertaking who, based on their decision-making powers, are also deemed to be among those persons effectively running the undertaking. This is relevant for instance at the second management level.

53 The undertaking is responsible for determining which decisions must be categorised as material with respect to the business model and the risk profile. A decision is considered material, for example, if it has cross-departmental significance or exceeds a threshold so that it has a significant impact on the business model or structure of the undertaking and can no longer be attributed to ordinary business activities.

9.2.3 Documentation

54 The management board must document its decisions and the manner in which it takes into account the information obtained from risk management (see section 11.1). In the same way, any decisions material to the undertaking made by other persons who effectively run the undertaking must be documented.

55 It is not possible to specify a minimum level of structure for the documentation that can be applied comprehensively. The scope and level of detail of the documentation of decisions depend on the purpose of the documentation and the risks associated with the respective decision. The structure of the documentation must therefore be determined in each individual case on the basis of a holistic assessment, with due regard to internal checks and benefits. However, it is not an option to dispense entirely with the documentation requirement.

56 The documentation is adequate if it is complete and precise and includes all of the material background information ( e.g. formulas, parameters, decisions below management board level, material justifications for these) to enable a competent person to understand and review the content of the decision.

57 It is not necessarily required to create entirely new documents. References to existing documents and the inclusion of such documents may suffice, provided that they are clear and present the basis for the decision in a comprehensible manner.

9.3 Internal review of the governance system

58 The full management board assesses the governance system on a regular basis (section 23 (2) of the VAG ), the frequency of assessments to be laid down in accordance with the undertaking’s risk profile, and ensures that any required changes are implemented promptly. Assessments of individual units of the system of governance can be made by the management board member responsible for this unit. The full management board must, however, as part of its overall responsibility, be aware of the outcome of this assessment and manage the resulting implementation. Therefore, every member of the management board needs to understand at least the material risks to which the undertaking is exposed.

59 The assessment relates to the governance system in its entirety. It builds on existing findings, such as those gained in the review of the policy or obtained by the internal audit function during its review of the system of governance, or by other key functions in carrying out their tasks. A separate process is not required. If findings of the internal audit function are used in the assessment of the system of governance, it should be noted that the audit perspective under section 23 (2) of the VAG differs from the perspective under section 30 (1) of the VAG . The management board will proactively assess in particular whether the system of governance supports the objectives of the business and risk strategies. The internal audit function, on the other hand, examines whether the system of governance of the audited areas is effective and appropriate at the time of the audit.

60 The outcome of the assessment of the system of governance and the implementation of the changes required must be documented.

61 The full management board determines the grounds for extraordinary assessments of the system of governance.

9.4 Written guidelines

62 The written guidelines are a tool the management board uses to ensure that the organisational units act in accordance with their tasks and duties as well as in an effective and targeted manner. The written guidelines serve to make key elements of the system of governance – such as the segregation of duties, reporting lines and proportionality – transparent for operational implementation in the undertaking.

63 The undertakings themselves decide on the form of the written guidelines under section 23 (3) of the VAG . This means that the guidelines may be provided digitally as well as in writing. Regardless of the form chosen for providing them, the guidelines must be accessible and transparent for the persons concerned in the undertaking.

9.4.1 General information

64 Undertakings are free to formulate the written guidelines as they see fit. Accordingly, organisational rules for key functions can be included in the guidelines of the relevant systems of governance or documented in separate guidelines. For example, it is permissible to include the organisational rules for the independent risk management function in the written guidelines for the risk management system. However, a common written guideline for all key functions is also acceptable.

65 The written guidelines are implemented in practice through appropriate work procedures. The level at which responsibility for these work processes lies must be defined.

66 Written guidelines agreed at group level do not automatically apply to the legally independent individual undertakings. This also applies if control agreements are in place. Written guidelines must therefore be issued separately by the legally independent individual undertakings. Guidelines agreed at group level may – subject to undertaking-specific adjustment, if necessary – be adopted by an individual undertaking. If existing documents of the individual undertaking already contain the specified content of the guidelines at group level, they can be referred to and used as guidelines.

9.4.2 Content of the written guidelines

67 The written guidelines must clearly set out the basic rules and regulations regarding the operational structures, competences, powers and reporting processes. The corresponding interfaces and delimitations must be stated in the relevant written guidelines in order to avoid duplication of tasks.

68 The written guidelines of the relevant organisational units must set out which information is relevant for the key functions and state that such information must be conveyed to the key functions. Irrespective of this, key functions must have unrestricted access to all the information they need in order to fulfil their tasks (see margin no. 86).

69 The written guidelines must be consistent with each other and with the business and risk strategies.

9.4.3 Adoption and review of the written guidelines

70 The minimum requirements in this section 4.3 apply at least to the written guidelines within the meaning of section 23 (3) sentence 2 of the VAG on the system of governance. The minimum requirements do not apply to the work procedures implementing the guidelines.

71 In order to support the business and risk strategies to be determined by the board, the full management board must agree on the written guidelines at least upon their initial adoption, as well as in the event of significant amendments.

72 The written guidelines specified in section 23 (3) sentence 2 of the VAG must be reviewed regularly, at least once a year, using methods appropriate to the undertaking’s risk profile. The grounds for ad hoc reviews of the individual policies are determined by the full management board.

73 The persons or organisational units responsible for the review of the written guidelines must be named. The review must take into account that amendments to a written guideline may have a direct impact on the other written guidelines.

74 The reviews of the written guidelines must be documented. The findings and any need for amendments resulting from these findings are to be reported to the management board.

75 Any identified need for significant amendment of a written guideline listed in section 23 (3) sentence 2 of the VAG must be reported to the full management board, which must then justify its corresponding decision in a brief but comprehensible manner. The decision must be documented together with the justification. In the case of non-significant amendments, it is sufficient for the responsible member of the management board to take note of the amendment, which must be documented accordingly.

76 For guidelines that are not expressly listed in section 23 (3) sentence 2 of the VAG , insurance undertakings may determine at their own discretion, in a manner appropriate to their risk profile, at what intervals the guidelines are to be reviewed and whether and in what form the management board is to be involved in the initial adoption and any significant amendments.

9.4.4 Knowledge of and compliance with written guidelines

77 The staff must be notified of the current written guidelines that are relevant to them.

78 Undertakings must implement internal controls to ensure that all conduct is in accordance with the written guidelines and that any violations are identified promptly.

9.5 Automated business processes

79 As part of the organisational and operational structure, it must be ensured that automated business processes that involve risks, which also include automated underwriting, automated case-by-case decisions in claims and benefit processing, as well as automated portfolio management, are appropriately managed and monitored and that the requirements for the system of governance are met. In addition to an assessment of the automated business processes from a risk perspective, this requires in particular that all automated business processes be identifiable and documented in a comprehensible manner, that there be opportunities for persons responsible to intervene if necessary and that it be ensured that the full management board is informed of the main features of the setup, design and functioning of the automated business processes.

80 The automated business processes must be quality-assured at the operational level, in a manner appropriate to the risk profile. To this end, processes must be established for both before the go-live date and during ongoing operations.

81 The development, control and monitoring processes associated with the automated business processes must be assessed independently on a regular basis and in a manner appropriate to the risk profile.

10 Key functions

10.1 General requirements and position in the undertaking

82 The “key functions” are the internal audit function, the compliance function, the independent risk management function (IRMF) and the actuarial function. A distinction must be made between the term “key function” and the term “key task”. Undertakings may, at their own discretion, determine other key tasks in addition to the key functions (see Circular 11/2023 ( VA ) on the fit and proper assessment of the professional qualifications and good repute of individuals responsible for key functions or who carry out key functions, in accordance with the Insurance Supervision Act). To this end, undertakings must examine whether any and, if so, which areas are significant enough to be considered key tasks. These could be the IT security, investments or legal areas, for example.

83 The undertaking is free to decide how it will set up the key functions, but the purpose of the respective key function and the principle of proportionality must be taken into account. Centralised and specialist team structures as well as decentralised, integrated or hybrid structures may be taken into consideration (regarding outsourcing, see sections 13.4 and 13.5). The structures chosen must not impair the effective, objective, fair and independent performance of the key functions. This applies in particular to the internal audit function.

84 The key functions must be given a prominent position in the undertaking; they have equal priority and are on equal terms. Persons internally responsible for a key function (see 10.1.1) who are not members of the management board are subject only to the instructions of the management board in terms of the performance of the key function. This also applies if the key function is not directly subordinate to the management board level from an organisational point of view. The full management board serves as the escalation level in the event of disputes between key functions for which either the same member of the management board is responsible or which cannot be resolved between the respective responsible members of the management board.

85 The key functions must fulfil their tasks effectively, objectively, fairly and independently at all times. The manner in which key functions fulfil their tasks can be tailored to the individual undertaking. However, it is crucial that tasks be defined and assigned in a clear and transparent manner, in particular with regard to integrated approaches to the organisation of a key function. This must be laid down in written guidelines.

86 Key functions must be equipped with sufficient human and material resources as well as the authorisation necessary to be able to perform their tasks effectively. The powers of the key functions must be set out in written guidelines. The rights and obligations of the key functions are determined on the basis of their specific tasks. At a minimum, this includes unrestricted access to staff and to all information necessary for fulfilling their tasks, unrestricted access to relevant data and systems and establishing a direct reporting line to the management board.

87 Also in the group context, affiliated undertakings must establish all key functions at the level of the individual undertaking. The undertaking responsible for fulfilling the requirements for the system of governance at group level must ensure that the key functions are also established at group level.

10.1.1 Person internally responsible for a key function

88 For all forms of organisation, including decentralised ones, there must be a natural person who is responsible for ensuring that the relevant key function fulfils its tasks properly, regardless of the ultimate responsibility of the full management board. In the case of a key function established internally within the undertaking, this means the “person internally responsible" for this function (see sections 13.4 and 13.5 on outsourcing). This responsibility may not be assigned wholly or partially to several natural persons. However, there can be many persons carrying out a key function, i.e. contributing to the key function’s work.

89 A member of the management board may only be the person internally responsible for a key function in individual cases (see 13.4 and 13.5 on outsourcing), i.e. in particular if this arrangement is appropriate to the undertaking’s risk profile. However, section 23 (1) sentence 3 of the VAG is applicable, meaning that there must be a segregation of responsibilities appropriate to the undertaking’s risk profile, also in terms of the person’s tasks as an internally responsible person and their duties as a member of the management board. Furthermore, Article 258(1)(g) of the Delegated Regulation is applicable, meaning that the undertakings must ensure that the assignment of the additional task as an internally responsible person does not or is not likely to prevent the relevant member of the management board from carrying out all their duties – including, where applicable, at other undertakings – in a sound, honest and objective manner. This requires sufficient time capacities, among other factors. Reference is also made to Circular 11/2023 ( VA ) on the fit and proper assessment of the professional qualifications and good repute of individuals responsible for key functions or who carry out key functions, in accordance with the Insurance Supervision Act.

90 The principle of proportionality must be observed if a person working as a member of the management board or working below the management board level is at the same time internally responsible for multiple key functions. The higher the number of key functions affected, the more precisely undertakings must demonstrate that this structure is appropriate to their risk profile A further limit for the assignment of multiple tasks to the same person is set out in Article 258(1)(g) of the Delegated Regulation (see margin no. 89). Special conditions apply with regard to the internal audit function (see section 10.4).

10.1.2 Information flow

91 The relevant person internally responsible for a key function (see section 10.1.1) must report directly to the full management board. To this end, the person responsible prepares a regular written report at least once a year. This report must be comprehensible and addressed to the full management board. In the event of acute, serious incidents and findings, an ad hoc report must also be prepared. As a rule, the ad hoc report must be submitted to the full management board. This reporting obligation also applies if the key function is not directly subordinate to the management board level from an organisational point of view.

92 Conversely, the management board must notify persons internally responsible for the relevant key function in a proactive and timely manner of all facts that may be required for them to fulfil their responsibilities. This obligation to notify the person internally responsible for the relevant key function applies accordingly to other business units.

93 Similar information flows must also be established between the key tasks established by the undertaking and the management board.

10.2 Compliance function

94 Within the framework of the following paragraphs, the compliance function must monitor compliance with the applicable laws and regulations, supervisory requirements and external standards.

95 With regard to external standards within the meaning of margin no. 94, only those external standards are to be adhered to that are highly important to the undertaking or deal with material risks and were originally defined by nationally or internationally recognised players. The external standards to which the above criteria apply must be determined individually for each undertaking, taking into account the principle of proportionality. The external standards identified must be consistently taken into account in the written guidelines and the compliance plan.

96 In particular, the compliance function monitors whether compliance with the applicable laws and regulations, supervisory requirements and external standards is ensured through suitable and effective internal procedures. It is not necessary for the compliance function itself to implement such procedures. Instead, the compliance function is responsible for monitoring the units concerned to ensure they independently set up suitable and effective procedures. For monitoring purposes, the compliance function must be familiar with the internal requirements that ensure compliance with the applicable laws and regulations, supervisory requirements and external standards. A review of the compliance with these internal requirements must be carried out. It is not necessary for the compliance function itself to fulfil this task. Where necessary, the compliance function must be familiar with at least the nature, scope and results of the review carried out by other units and assess them from a compliance perspective.

97 The monitoring activities cover at least those legal aspects involving material risks for the undertaking. Regardless of this, however, the compliance function must monitor at least the laws, regulations and supervisory requirements applicable to the operation of the insurance business, as well as the external standards determined by the undertaking (see margin no. 96).

98 The responsibility and schedule of duties of an officer required by law remain unaffected. However, the fact that an undertaking has an officer required by law does not mean that the legal areas for which the officer is responsible are completely excluded from the responsibility of the compliance function. In the case of legal areas involving material risks, the compliance function must then at least monitor these officers’ performance of their stipulated duties.

99 The compliance function advises the management board on compliance with the laws, regulations, supervisory requirements and external standards determined by the undertaking that apply to the operation of the insurance business. Among other things, the compliance function may support the management board in making staff aware of compliance issues and ensuring that these issues are taken into account in daily work.

100 The compliance function assesses the potential impact of changes in the legal environment. To this end, it must monitor and analyse developments in the legal environment, including sustainability requirements, at an early stage.

101 The compliance function informs the full management board as part of regular reporting (see margin no. 105) on significant changes in the legal environment. The full management board must be informed promptly through an ad hoc report of any imminent or actual serious violations and the measures to be taken to maintain or restore compliance.

102 The compliance function identifies and assesses compliance risks. Compliance risks include all risks that result from non-compliance with the applicable laws and regulations, supervisory requirements and external standards.

103 The compliance function identifies and assesses compliance risks from a risk perspective at regular intervals.

104 The activities of the compliance function are based on a compliance plan. The compliance plan takes into account all relevant business units. The activities are selected based on risks. The plan must be reviewed regularly to ensure it is up-to-date.

105 The compliance function regularly prepares a report on current compliance issues, at least once a year, which it submits to the full management board. For the compliance function’s ad hoc reporting obligation, see margin no. 91. At a minimum, the report explains the material compliance risks and the measures taken to mitigate these risks and provides the full management board with an overview of the adequacy and effectiveness of the procedures implemented to ensure compliance with the applicable laws and regulations, supervisory requirements and external standards.

10.3 Actuarial function

10.3.1 General requirements for the actuarial function

106 Undertakings must establish an actuarial function as a key function. In addition to the actuarial function, the VAG also requires a responsible actuary for life insurance, substitute health insurance, accident insurance with premium refunds, and liability and accident pensions (see section 10.3.7).

10.3.2 Responsibilities of the actuarial function

107 The schedule of the actuarial function’s responsibilities is defined in section 31(1) of the VAG in conjunction with Article 272 of the Delegated Regulation. The transitional provisions in sections 351 and 352 of the VAG must also be taken into account, insofar as they are relevant to the undertaking.

108 It is also generally possible to assign responsibilities to the actuarial function that go beyond the specified schedule of responsibilities if conflicts of interest have been analysed and appropriate measures have been implemented to handle these.

10.3.3 Coordination of the calculation and validation of the technical provisions

109 The decision regarding who carries out the calculation of the technical provisions within the meaning of section 75 et seq. of the VAG is left up to the undertaking.

110 The decision regarding who carries out the validation within the meaning of Article 264 of the Delegated Regulation is also left up to the undertaking. This does not affect the actuarial function’s responsibilities under section 31 (1) of the VAG in conjunction with Article 272 of the Delegated Regulation.

111 The calculation of the technical provisions and the validation within the meaning of Article 264 of the Delegated Regulation are segregated in a way that avoids conflicts of interest and in particular does not unreasonably impair the independence of the validation. In line with the principle of proportionality, this requirement can be considered fulfilled for undertakings with a lower risk profile if the processes for the validation and calculation are segregated. However, the staff carrying out the validation and calculation may need to be separate individuals in accordance with the principle of proportionality.

112 The validation within the meaning of Article 264 of the Delegated Regulation includes the calculation methods and data used, the assumptions made, as well as the complete record of the obligations to be assessed. It is necessary to determine the impact of changes in methods, assumptions and underlying data from one reporting date to the next.

113 Within the scope of its competence, the actuarial function is responsible for ensuring that an appropriate validation is carried out in accordance with Article 264 of the Delegated Regulation. In this context, the actuarial function must fulfil the following tasks.

114 The actuarial function evaluates whether the correlations between the method selection, the assumptions and the data quality and availability are taken into account. This includes consideration of the source and intended use of the data.

115 In its review of which validation process is the most appropriate one, the actuarial function takes into account the characteristics of the insurance obligations.

116 The actuarial function regularly reviews the validation processes and ensures that they are adjusted as necessary. For this purpose, it incorporates the empirical values acquired from previous validations and any changes in market conditions.

117 The actuarial function ensures that both quantitative as well as qualitative aspects are taken into account in the validation.

10.3.4 Tasks relating to future profit participation

118 The actuarial function ensures that future profit participation is adequately reflected in the technical provisions under Solvency II. This also includes appropriate consideration of any correlations between future new business and future profit participation.

The actuarial function must consult the responsible actuary in the relevant class of insurance as to whether the future management rules required for this are realistically modelled. No additional validation is necessary on the part of the responsible actuary in this context.

119 The statement issued by the group-level actuarial function on future profit participation must comply with national legal requirements. To this end, the group-level actuarial function must involve the local actuarial functions and, where applicable, the responsible actuary or equivalent persons.

10.3.5 Assessment of data quality in the valuation of the technical provisions

120 For the assessment of the data quality, the actuarial function takes into account the results of analyses carried out as part of external or internal data quality reviews.

121 When assessing the completeness of the data, the actuarial function reviews whether the quantity and the level of detail of the available data suffice for the application of the calculation method used and for the segmentation of the insurance obligations.

122 The actuarial function investigates material shortcomings in the data and ascertains the causes for these. To this end, it also reviews internal processes and consults the staff responsible as required. It puts forward solutions for rectifying the shortcomings to the management board.

123 The actuarial function documents the material shortcomings, their causes and the solutions implemented. It also outlines any potential material effects of these shortcomings on the calculation.

124 The actuarial function formulates recommendations as necessary for improving internal procedures as part of data management in order to ensure that the undertaking is capable of meeting the relevant requirements under Solvency II.

125 It reviews in which circumstances additional external data and/or market data are required. It also evaluates the quality of these additional data.

126 The actuarial function assesses whether the reliability of the estimates can be improved by adjusting the available data.

10.3.6 Statement on the underwriting policy and reinsurance

127 The actuarial function supports the management board by analysing the correlations between the underwriting and acceptance policy, the price calculation, the reinsurance policy and the technical provisions. The actuarial function must assess the compatibility of the underwriting and reinsurance policy with the undertaking’s risk profile.

128 The necessary analysis of the underwriting and acceptance policy and the assessment of the adequacy of the premiums to be earned and the price calculation does not generally take place at the individual product level, but rather at an appropriate abstraction level. The analysis of the underwriting and acceptance policy must appropriately take into account the underlying risks. This applies in particular to the relevant underwriting, macroeconomic, sustainability and legal risks as well as the risks of changes in the legal environment.

129 The necessary analysis of the reinsurance policy includes the effectiveness of the reinsurance agreements under stress conditions. It must also be analysed whether reinsurance will lead to a higher reduction in the solvency capital requirement than is justified by the risks actually transferred, or whether reinsurance will result in new risks that are not taken into account in the solvency capital requirement. The scope of the analysis depends on the significance of the hedging arrangements. Taking into account the risk profile, materially insignificant hedging justifies a less extensive analysis. When determining significance, undertakings must consider whether the hedging arrangements will individually or collectively result in a materially significant deviation of the risk profile from the assumptions underlying the solvency capital requirement. Information and findings obtained as part of risk management in the assessment of the impact and effectiveness of the risk transfer (see margin no. 180) or obtained in the validation of an approved internal model can be taken into account.

130 Quantitative analyses are also carried out on a regular basis.

131 In cases where undertakings provide life insurance contracts with long-term interest rate guarantees, the actuarial function also addresses in its statement based on Article 272 point 6(a) of the Delegated Regulation in particular the extent to which the premiums to be earned in new business are sufficient to cover future claims and expenses with regard to the level and type of the embedded interest guarantees. A general reference to the fact that the guaranteed interest rate used for the price calculation does not exceed the applicable maximum technical interest rate under section 2 of the German Premium Reserve Regulation ( Deckungsrückstellungsverordnung – DeckRV ) is not sufficient. Rather, the individual risk profile must be taken into account in the underlying analyses. Particular consideration must be given to the extent to which the undertaking is likely to be able to meet the obligations arising from the interest guarantees on new business from the expected future returns on its investments.

10.3.7 Relationship between the person responsible for the actuarial function and the responsible actuary

132 Responsible actuaries fulfil a protective function for customers. They ensure equal treatment and that surpluses are used appropriately. In addition, the responsible actuary must ensure that the calculation of the premium reserve under commercial law is in accordance with the relevant statutory regulations and that premiums are calculated in such a way that an adequate premium reserve can be established. The responsible actuary also reviews whether the undertaking is in a position to fulfil its obligations under the insurance contracts at all times. If the responsible actuary is at the same time the responsible person for the actuarial function, the undertaking reviews whether this combination could lead to conflicts of interest.

133 The tasks of the responsible actuary with respect to compliance with the statutory regulations for provisions under commercial law and the appropriate premium calculation usually do not impair the role of the actuarial function so severely that an organisational segregation would be considered necessary.

134 In the case of life insurance contracts with profit participation, conflicts of interest between the responsible actuary and the actuarial function are possible. Although profit participation rates are determined by the management board, it cannot simply disregard the responsible actuary’s proposal under section 141 (5) no. 4 and (6) nos. 2 and 3 of the VAG . Profit participation that is appropriate from the responsible actuary’s perspective may harbour excessive risks from the point of view of the actuarial function, while profit participation that is adequate for the undertaking’s risk profile from the point of view of the actuarial function may be inadequate for customers from the responsible actuary’s perspective. If conflicts of interest are possible in individual cases, the person responsible for the actuarial function can only be the responsible actuary at the same time if the undertaking takes suitable and effective measures to ensure that the person in question performs each of the two tasks in an objective, fair and independent manner.

135 When formulating its statement on the sufficiency of the premiums to be earned on life insurance contracts with long-term interest guarantees as set out in margin no. 131, the actuarial function can make use of existing analyses by the responsible actuary. In this case, however, the actuarial function examines whether further analyses are necessary, for example in order to assess the correlations between the interest rate assumptions used in the price calculation and the technical provisions for the solvency statement as well as the cover of the solvency capital requirement.

136 The information on life insurance under margin no. 134 applies accordingly to accident insurance with premium refunds. The extent of the measures required depends on the share that these contracts constitute of the total business volume and the associated risks.

137 If, in individual cases in the context of substitutive health insurance, conflicts of interest are possible where the person responsible for the actuarial function is also the responsible actuary, the involvement of the independent trustee with regard to the tasks legally assigned to the trustee in similar to life techniques (SLT) can generally be regarded as a sufficient accompanying measure, provided that the actuarial function is not assigned any tasks that go beyond the specified schedule of duties. If further tasks are assigned to the actuarial function, the principles specified in margin no. 134 last sentence and margin no. 111 apply.

138 If the responsible actuary is solely responsible for setting up premium reserves for property/casualty pensions, there is generally no conflict of interest if the person responsible for the actuarial function is also the responsible actuary.

10.3.8 Actuarial function’s duties to inform

139 Under Article 272(8) of the Delegated Regulation, the actuarial function regularly submits to the management board a written report documenting all material results achieved (Actuarial Function Report) at least once a year.

140 The Actuarial Function Report clearly identifies any deficiencies as well as recommendations on remedying such deficiencies. It also contains information on changes at least in the underlying assumptions and methods used. A general note to the effect that the situation has not changed compared with the previous year is not sufficient. However, the report may make specific references to individual aspects.

141 The Actuarial Function Report cannot be replaced by individual sub-reports. It must be inherently comprehensible for the full management board.

142 The actuarial function is free to report separately on individual topics in addition to the Actuarial Function Report. Material aspects from these reports must be incorporated into the next Actuarial Function Report.

143 The responsible actuary and the actuarial function must each prepare a separate report if a report is to be drawn up. This also applies if the responsible actuary is at the same time the person responsible for the actuarial function. In the event of overlaps, e.g. in relation to an analysis of data quality, the Actuarial Function Report can also address or refer to findings from the report submitted by the responsible actuary and assess them independently. The actuarial function ensures that these findings can also be applied under Solvency II.

10.4 Internal audit function

144 All undertakings must establish an internal audit function. No exceptions to this rule are permitted.

145 The audit assignment for the internal audit function relates to an undertaking’s entire system of governance, including outsourced units and processes.

146 Compliance with the audit plan, i.e. fulfilling the audit function, takes priority over the consultancy function. In this respect, the internal audit function may potentially restrict consultancy activities.

147 The internal audit function is not subject to any influences that could impair its independence and impartiality in completing its tasks.

148 The internal audit function must be independent of all business units in the undertaking. This applies to the person responsible for the internal audit function as well as to all individuals who work for the internal audit function.

149 In particular, the internal audit function must not be impaired, even indirectly, in carrying out the audit, evaluating the audit results or reporting on these results. The internal audit function reports directly to the full management board on its results, findings, concerns, recommendations for improvement, etc. , without being influenced to make changes beforehand.

150 The full management board’s right to issue instructions in relation to the internal audit function’s audit schedule does not conflict with the internal audit function’s independence. This rule does not affect Article 271(3) sentence 2 of the Delegated Regulation.

151 The internal audit function must be independent of other operational functions or activities (section 30 (2) sentence 1 of the VAG ). This applies equally to all undertakings; proportionality aspects are irrelevant in this respect.

152 The other key functions are permitted to cooperate with the internal audit function. To prevent inappropriate influence from other key functions, clear responsibilities must be defined, among other things.

153 The person internally responsible for the internal audit function may also be the person internally responsible for other key functions if the conditions set out in Article 271(2) of the Delegated Regulation are cumulatively met. The higher the number of key functions affected, the more precisely undertakings must demonstrate that this structure is appropriate to their risk profile and that the independence of the internal audit function cannot be impaired. Article 258(1)(g) of the Delegated Regulation also applies (see section 10.1.1).

10.5 Independent risk management function

154 This Circular consistently uses the term “independent risk management function” (IRMF). It is synonymous with the term “risk management function”.

155 The schedule of responsibilities of the IRMF is defined in particular in section 26 (8) of the VAG in conjunction with Article 269 of the Delegated Regulation. Among other things, the IRMF significantly advances the implementation of the risk management system. In this context, the IRMF ensures that appropriate processes, procedures and methods are implemented for operational risk management.

156 The IRMF assists the full management board and other functions in effectively operating the risk management system. In this respect, the IRMF must in particular:

a) regularly assess whether the risk strategy is consistent with the corporate strategy,

b) regularly assess whether the written guidelines are adequate with regard to the risk management system,

c) promote risk awareness among the staff affected by the risk management system,

d) regularly assess the methods and processes for risk identification, assessment, management, monitoring and reporting and develop these further where appropriate,

e) propose limits and, if necessary, other risk-mitigating measures and

f) assess planned strategies from a risk perspective.

157 The IRMF monitors the risk management system. In this respect, the IRMF must in particular:

a) develop processes and procedures for monitoring the risk management system and

b) monitor the adequacy of the risk management system on a continuous basis.

158 The IRMF monitors the undertaking’s general risk profile. In this respect, the IRMF must in particular:

a) identify, assess and analyse the risks, including sustainability risks, at least at an aggregate level,

b) monitor the measures aimed at mitigating risk,

c) monitor the limits and the risk at least at an aggregate level and

d) coordinate the implementation and documentation of the undertaking’s own risk and solvency assessment.

159 The IRMF reports to the full management board in writing on all material risk management issues as set out in margin no. 91. In contrast to the written reports of other key functions, the following special rule applies to IRMF reporting: duplicate reporting is not necessary as part of the system of governance. The own risk and solvency assessment ( ORSA ) report regularly informs the full management board about significant risk exposures and the overall risk profile, among other things. If the IRMF considers the information provided in the ORSA report to be appropriate and complete, this information does not have to be reported again. The IRMF also reports regularly in writing to the full management board on material risk management issues not included in the ORSA report, such as the suitability of the risk management system, any material shortcomings the system may have as well as its potential for improvement. Material information that has already been presented to the full management board in another report is only to be included again if and to the extent that it is necessary to enable an understanding of the statements in this written report. The written report must be submitted to the full management board at least once a year, and ad hoc in the event of significant changes. Ad hoc reporting may be limited to the content that is affected by the significant change and that is necessary for understanding it.

160 The IRMF advises the management board on risk management issues and assists it in rectifying any shortcomings and in developing the risk management system on a continuous basis.

11 Risk management system

11.1 Role of the management board in the risk management system

161 The full management board is responsible for ensuring that the structure and design of the risk management system are effective and appropriate with regard to the undertaking’s risk profile. This includes appropriate reporting procedures and processes which ensure, in particular, that information is provided at least on all material risks and that the effectiveness of the risk management system is actively monitored, analysed and improved where necessary.

162 The full management board’s collective responsibility for the risk management system relates to the executive tasks. These tasks include, for example, taking the strategic decisions and defining the organisational framework for risk management, and therefore specifically also incurring/assuming and managing material risks.

163 The executive tasks also include developing a risk strategy. This strategy must be reviewed on a regular basis, at least once a year, and adapted as necessary. The risk strategy, its review and any changes made to it must be documented. The risk strategy reflects the risks arising from the business strategy. It also contains a statement on the undertaking’s risk appetite, both at the aggregate level and with regard to the material risks, for achieving the strategic objectives. The risk strategy must be structured in such a way that the operational management of the risks can be linked to it. It is possible to define individual elements of the risk strategy in other strategies, such as the IT or sustainability strategy. In these cases, reference should be made in the risk strategy to the specific points in the other strategies. The requirement for the risk strategy, for example the annual review, then also applies to the corresponding sections of the other strategies.

164 The full management board must appropriately consider the information from the risk management system in their own decisions. This also requires adequate involvement of the IRMF as the central unit for the operational management of risks. Inclusion of the IRMF does not release the full management board from its responsibility for its own decisions.

11.2 Risk management policy

165 The written risk management policy includes, at a minimum, requirements for the areas specified in section 26 (5) sentence 1 of the VAG . It defines and categorises at least the material risks, unless these are determined in the risk strategy. It also specifies the approved risk tolerance limits, at least for the material risks. The effects of sustainability risks must be appropriately taken into account at least in the risk management areas of underwriting and reserving (section 26 (5) sentence 1 no. 1 of the VAG ), investment risk management (section 26 (5) sentence 1 no. 3 of the VAG ) and, if necessary, other risk management areas.

166 Aside from defining the tasks, position and powers of the IRMF, the written risk management policy also states the duties, position and powers of the other key functions, provided that these perform duties within the risk management system. The written risk management policy may refer to any of these tasks and powers of the other key functions that are already contained in other written policies.

167 The written risk management policy contains specifications on undertaking-specific stress tests. In this context, undertakings specify the units to be included, the reference dates or triggers, the processes, the assumptions and the possible methods. It is also necessary to determine how to proceed if a specified limit value is exceeded.

11.2.1 Risk management policy for operational risk

168 Operational risks within the scope of risk management include IT risks, irrespective of whether these result from the IT organisational structure, the IT systems or the IT processes.

169 Operational risks within the scope of risk management also include legal risks.

170 Risks of legal changes, at least those linked to transactions concluded in the past, must be adequately taken into account from a risk perspective. Risks of legal changes involve risks that arise based on a change in the legal environment, including changes to the supervisory requirements.

171 Another type of operational risk in the context of risk management is sustainability risk, which can have a direct impact on the undertaking’s own business operations.

172 An analysis of the operational risks must also be carried out before products, processes and systems are implemented or materially changed. The results of this analysis must be taken into account in the decision-making process.

173 In order to identify and monitor potential operational risks, the undertakings implement a suitable process that at least records and evaluates internal loss events. Thresholds appropriate to the undertakings’ individual risk profile must be determined for this purpose. The process steps required must be adequately documented.

174 When identifying potential operational risks, undertakings must also take into account known external loss events.

175 The undertakings check whether to introduce suitable key risk indicators or key performance indicators as part of their early warning system.

176 Material loss events resulting from operational risks must be reported both to the full management board and the IRMF without delay and analysed in relation to their causes. The loss events that are covered by this must be determined individually for each undertaking. In the event of material loss events, the full management board decides whether additional measures need to be implemented and which measures these are. The implementation of the measures must be monitored.

11.2.2  Risk management policy for reinsurance and other risk mitigation techniques

177 The risk management policy for reinsurance and other risk mitigation techniques specifies the targeted level and the effectiveness of risk transfer. This level must be based on the defined risk tolerance limits. The risk management policy must also specify the type of reinsurance or other risk mitigation techniques selected by the undertaking. The type chosen must be the type most appropriate to the undertaking’s risk profile. The criteria for selecting reinsurance arrangements or other risk mitigation techniques must also be defined.

178 Principles must be developed for selecting counterparties for reinsurance contracts and other risk mitigation techniques. Such principles also include procedures for assessing and monitoring the performance and creditworthiness of reinsurers and other risk mitigation partners. If the undertaking relies on external ratings to assess creditworthiness, it reviews the suitability of such ratings by carrying out additional assessments wherever possible.

179 If the undertaking decides in favour of reinsurance arrangements or other risk mitigation techniques, risk management takes into account all associated risks, in particular the credit risk associated with the relevant risk mitigation technique and, if a reinsurer from a third country is selected, the risks associated with this. This includes documenting at least the material risks, the resulting measures and the potential consequences.

180 The undertaking identifies and assesses the extent, the impact and the effectiveness of the risk transfer, including potential basis risks. This includes a holistic analysis of the risks transferred through reinsurance or another risk mitigation technique with regard to the undertaking’s own risk profile and the requirements for including these risks in the standard formula. In this context, the technical, counterparty and concentration risks must be addressed in particular. The procedures and criteria necessary for identifying and assessing these aspects of the risk transfer must be defined and must be appropriate to the risk profile. Information and findings obtained by the actuarial function as part of its statement on underwriting policy and reinsurance (see margin no. 129) may be taken into account here.

181 With regard to reinsurance and other risk mitigation techniques, liquidity management also takes into account possible liquidity shortfalls resulting from a timing mismatch between the insurance benefits to be paid and the receipt of amounts recoverable from reinsurers and other risk mitigation partners.

182 If the risk transfer to a reinsurer is significant for the undertaking, the undertaking considers the following scenarios in advance. The undertaking takes into account that the reinsurer may, within the scope of the contractual provisions, terminate or not renew significant reinsurance contracts or all reinsurance contracts. It must also be taken into account that the reinsurer may in future only continue the relationship on less favourable terms or conditions that would not be acceptable to the undertaking. At the very least, if the reinsurance relationship is significant for the undertaking’s own solvency and risk-bearing capacity, specific measures for such scenarios must be defined when the reinsurance contracts are concluded. The undertaking must also take into account the risk-mitigating effects of involving several reinsurers. Depending on the undertaking’s ongoing risk assessment, the necessary measures must be initiated at an early stage.

11.3 Undertaking-specific stress tests

183 Undertaking-specific stress tests are part of a suitable early warning system within the risk management system. These examine the undertakings’ resilience in the face of adverse events or scenarios. Undertaking-specific stress tests can take the form of sensitivity analyses as well as scenario analyses or reverse stress tests.

184 Undertakings must carry out undertaking-specific stress tests as part of the ORSA in accordance with section 27 (3) sentence 2 of the VAG . In addition, undertaking-specific stress tests must also be carried out in other areas of risk management in accordance with Article 259(3) of the Delegated Regulation, insofar as this is appropriate. The guidance on undertaking-specific stress tests as part of the risk management policy (see section 11.2) remains unaffected. The nature, scope and frequency of undertaking-specific stress tests must be appropriate to the risk profile. They cover at least the key drivers for the material risks. Standardised stress tests prescribed by external parties, such as EIOPA stress tests, are generally not suitable as undertaking-specific stress tests.

185 If there are material sustainability risks – which also include material climate change risks – the impact of these must be assessed in both the short and long term using appropriate undertaking-specific stress tests. Where appropriate and possible, a quantitative assessment is also carried out.

186 The undertaking-specific stress tests take into account the material risk concentrations and diversification effects between the risks.

187 The undertaking-specific stress tests reflect events or scenarios with different degrees of severity. Suitable historical and hypothetical events or scenarios form the basis for undertaking-specific stress tests. In particular, undertakings must also assume extraordinary but plausible events or scenarios that could jeopardise the undertaking’s risk-bearing capacity.

188 The suitability of the undertaking-specific stress tests, including the underlying assumptions, must be reviewed regularly.

189 The performance of each stress test application must be adequately documented. At a minimum, the documentation must state the assumptions, the assessments of the results and the measures taken.

190 The management board must take due account of the results of undertaking-specific stress tests when making decisions.

11.4 Additional requirements at group level

191 The full management board of the undertaking responsible for fulfilling the requirements at group level is responsible for the effectiveness of the group-wide risk management system. In this context, the full management board determines the strategic decisions and policy for risk management at group level and decides on both the risk appetite and the risk tolerance limits at group level. It ensures, in compliance with margin no. 66, that the requirements are implemented consistently across the group.

192 The undertaking responsible for fulfilling the requirements at group level must take into account all risks for the entire group in its risk management. The risk arising from intra-group transactions, possible risk concentrations within the group and the reputational risk due to events within the group must also be taken into consideration. The possible interdependencies between the risks of all group companies, including undertakings domiciled in third countries or not subject to supervision, must likewise be taken into account.

12 Internal control system

12.1 General information

193 The internal control system ensures the legality, effectiveness, economic efficiency and practicality of the system of governance. It takes into account the risks relevant to the undertaking and the objectives and requirements the undertaking has set for itself. In addition, it ensures the availability and reliability of the information necessary for business operations.

194 Undertakings must structure their internal control system in accordance with their risk profile. The internal control system is an independent element of the governance system. It must be incorporated adequately into the organisational and operational structures and processes so that it fulfils its purpose.

195 The internal control system must also take into account any outsourced units and processes.

12.2 Internal control framework and reporting arrangements

196 Undertakings must set out in the internal control framework the principles, procedures and measures related to the internal controls. The internal control framework must be appropriate to the undertaking’s risk profile. The internal control framework forms the basis of the internal control system. Together with written guidelines and other internal specifications, it sets out the parameters for monitoring at least the major business units of the undertaking.

197 The nature, frequency and scope of the internal controls are based on the risks of the relevant units and processes. The implementation of the internal controls must be documented.

198 Undertakings ensure that the persons tasked with implementing the internal controls have all of the necessary information at their disposal. The adequacy and effectiveness of the internal controls must be monitored on an ongoing basis by means of appropriate procedures.

199 The results of the monitoring must be reported to the full management board on a regular basis, at least once a year. In addition, ad hoc reports are required in specific situations, particularly in the event of significant shortcomings in the internal controls. The full management board ensures that the required adjustments are implemented in good time.

13 Outsourcing

13.1 Definition

200 The scope of application of section 32 of the VAG covers the outsourcing of functions and insurance activities. The legal definition in section 7 no. 2 of the VAG only refers to the feature “outsourcing” and requires, among other things, that the relevant process, service or activity would otherwise be carried out by the undertaking itself. This criterion is usually met if the undertaking must provide the relevant process, service or activity in compliance with legal requirements or because it is necessary for the undertaking’s business operations. If the criteria of section 7 no. 2 of the VAG are met, it must be examined cumulatively whether a function or insurance activity within the meaning of section 32 of the VAG exists. This limits the specific outsourcing controls in a commensurate manner. A function or insurance activity may also exist if the relevant situation occurs not only in insurance undertakings but also in other enterprises ( e.g. investment).

201 It should be noted that the general supervision of violations of consumer protection law may intervene in cases where there is no outsourcing within the meaning of section 7 no. 2 of the VAG . This is because, with regard to primary insurance undertakings under section 294 (2) sentence 2 of the VAG in conjunction with section 298 (1) of the VAG , the general supervision of violations of consumer protection law covers all circumstances that could jeopardise the interests of the insured. This also includes service relationships that are not subject to the outsourcing requirements. For example: canteen operations by an external service provider are not subject to the outsourcing concept because the relevant activities would not otherwise necessarily be carried out by the undertaking itself and are therefore not subject to the specific outsourcing controls exercised by the supervisory authority. However, if repeated staff absences were to result from hygiene issues, thus jeopardising proper business operations, this may constitute an irregularity which entitles the supervisory authority to take action.

202 The criteria for distinguishing between outsourcing and other service contracts include not only the content of the relevant activity, but especially the scope and duration of this activity as well as the frequency with which the service provider is used. These criteria cannot be quantified in absolute terms, but depend on how substantial the activity is for the specific undertaking.

203 The more substantial a third-party service is or the more frequently it is used, the more likely it is that this constitutes outsourcing. The thresholds applied for assuming duration or frequency must be lower the more substantial the relevant unit is for the undertaking. If the service provider is only involved in an operational or advisory capacity on a merely occasional basis, this generally does not constitute outsourcing. However, recurring engagement of the same service provider or frequent use of the same service provider for similar activities under a framework agreement with that provider may be an indication of outsourcing. Conversely, it is conceivable, although rare, that circumstances may arise in which a function or insurance activity is affected and the duration and frequency criteria for use of a service provider are also met, but the unit in question is of minor significance to the undertaking. Circumstances such as these may justify the assessment that no outsourcing is taking place.

204 The agreement between an outsourcing undertaking and a service provider as required for outsourcing does not have to have a specific form, be a specific type of contract or have a specific contract name in order to qualify as an outsourcing agreement.

13.2 Permissible scope

205 Each undertaking may, in accordance with the provisions of this section, outsource all key functions and all tasks which the individual undertaking defines as key tasks.

206 The full management board always retains ultimate responsibility in all cases of outsourcing, including intra-group outsourcing and sub-delegation. Primary executive tasks including responsibility for setting up and developing the risk management system and internal control system cannot be outsourced. Service providers may only be involved in these areas to provide support and advice. The outsourcing of particular sub-areas of the risk management system or internal control system is only possible after careful consideration of the risks involved. This also applies to intra-group outsourcing where there is a control agreement in place.

207 An appropriate segregation of responsibilities must be ensured also in the event of outsourcing (section 23(1) sentence 3 of the VAG ). This applies to both the service provider and the undertaking with regard to the placement of the outsourcing manager’s role within the organisation.

208 If the service provider is located outside the European Economic Area ( EEA ), the undertaking must pay special attention to the control framework. The undertaking must also be able to effectively monitor such service provider so that it can react swiftly should this provider breach any provisions of the outsourcing agreement. The undertaking ensures that the service provider’s local supervisory authority or the national regulations do not, in particular, restrict access to information on the functions and insurance activities outsourced or to the service provider’s business premises. In the case of outsourcing outside the EEA , the undertaking must also pay attention to differences in national data protection regulations.

13.3 Risk analysis in the context of outsourcing

209 Both before and after outsourcing takes place, the risks associated with the outsourcing must be identified and assessed as well as adequately monitored, managed and reported. IT and sustainability risks in particular must also be taken into account.

210 Undertakings must first determine in an independent and risk-oriented manner whether the transfer of an activity falls under the definition of “outsourcing”. The further assessment as to whether the function or insurance activity to be outsourced is important is also a sub-area of the risk analysis that must be carried out before any outsourcing takes place.

211 Along with the strategic reasons, economic and operational factors and quantitative and qualitative aspects, the risk aspects must also play an appropriate role in any fundamental decision in favour of or against outsourcing. As a rule, the relevant risk categories are strategic risk, operational risk and reputational risk. Particular attention must also be paid to concentration risks if multi-client service providers are used.

212 Undertakings can determine the content and scope of the risk analysis on the basis of proportionality. The intensity of the risk analysis depends on the nature, scale, complexity and risk content of the outsourced activities and processes. The aspects relevant for the risk analysis include, in particular, the material risks of outsourcing, including possible risk concentrations and risks arising from sub-delegation, the suitability of the service provider, exit or alternative strategies, contingency management and legal risks.

213 In the event of material changes to the risk profile in relation to outsourcing matters, a new risk analysis must be carried out and a decision must be made on whether to continue or terminate the outsourcing.

214 The relevant organisational units must be involved in the preparation of the risk analysis. The intensity of the risk analysis and the involvement of the relevant organisational units must be decided on the basis of proportionality. The results of the risk analysis must be documented.

13.4 Outsourcing of important functions and insurance activities

215 In terms of the functions and insurance activities, a distinction must be made between important activities and other activities. Insofar as European legal texts refer to “critical” functions or activities in connection with outsourcing, the requirements for “important” functions or insurance activities also apply to “critical” activities by way of argumentum a fortiori .

216 In the event that important functions or insurance activities are partially outsourced, then the decisive factor is whether the sub-area scheduled to be outsourced is considered important in its own right.

217 Key functions and tasks which the undertaking has defined as key tasks are always considered to be important.

218 In addition, the following units are also generally considered to be important functions or important insurance activities:

distribution, portfolio management, benefits processing, calculation of the technical provisions under Solvency II and under the HGB , accounting, investments and asset management, electronic data processing in relation to important insurance-related activities.

The statement under margin no. 216 also applies to cases of partial outsourcing under margin no. 217 and this margin no. 218.

219 In all other respects, undertakings are responsible for determining whether the relevant function or insurance activity is important and must document this as part of the risk analysis (see section 13.3). The issue of whether a function or insurance activity is important can only be assessed on a case-by-case basis.

220 The assessment of whether a function or insurance activity is or is not important must be repeated and adjusted accordingly whenever the underlying circumstances have changed significantly.

221 The full management board must pre-approve all outsourcing of important functions or insurance activities. The sub-delegation of an important function or insurance activity must at least be pre-approved by the responsible member of the management board.

222 The criteria and the process for categorising a function or insurance activity as important must be set out in the written outsourcing policy and adjusted for any changes in circumstances.

223 Under section 47 no. 8 of the VAG , the intention to outsource functions or other insurance activities must be notified to the supervisory authority without undue delay, with submission of the draft contract. Only a sufficiently concrete intention to outsource important functions or insurance activities is subject to notification requirements.

224 For outsourcing agreements concluded before 1 January 2016, an overview of all existing outsourcing arrangements for important functions and insurance activities must be kept on file. BaFin reserves the right to specifically request this overview if necessary. The outsourcing agreements must be adapted to the requirements under Solvency II as soon as possible, for example as part of contract extensions or content negotiations.

13.5 Outsourcing manager

225 The outsourcing manager monitors and assesses whether the outsourced tasks are carried out properly, without prejudice to the ultimate responsibility of the full management board. The outsourcing manager is a responsible person within the meaning of section 47 no. 1 of the VAG (see Circular 11/2023 ( VA ) on the fit and proper assessment of the professional qualifications and good repute of individuals responsible for key functions or who carry out key functions, in accordance with the Insurance Supervision Act).

226 The outsourcing manager evaluates and scrutinises the service provider’s performance independently and objectively. If a key function is outsourced (see margin no. 91), the reporting process to the full management board of the outsourcing undertaking is as follows: as a rule, the service provider submits the reports to the outsourcing manager, who in the exercise of their monitoring and evaluating role can add to or comment on the reports before forwarding the reports to the full management board to ensure that it has the necessary information. In the case of intra-group outsourcing, the report may be sent directly to the management board, provided that the service provider forwards the report to the outsourcing manager at the same time. This reporting process does not preclude further direct contact between the service provider and the management board of the outsourcing undertaking, for example to discuss particular issues. However, it is not permitted for the service provider only to submit the written reports to the management board without providing the outsourcing manager with the same information. If the outsourcing manager and a member of the management board of the outsourcing undertaking are the same person, it is sufficient for the service provider to report directly to the full management board of the outsourcing undertaking.

227 The management board must notify the outsourcing manager at its own initiative, appropriately and in good time of all facts which the outsourcing manager may require in order to fulfil their responsibilities.

228 An outsourcing manager must be appointed in all cases where key functions and tasks which the undertaking has defined as key tasks are outsourced.

229 A member of the management board of the outsourcing undertaking may at the same time act as the outsourcing manager for a key function or a task which the undertaking has defined as a key task, without this arrangement having to be justified on the basis of proportionality considerations. However, section 23 (1) sentence 3 of the VAG is applicable, meaning that there must be a segregation of responsibilities appropriate to the undertaking’s risk profile, also in terms of the person’s tasks as an internally responsible person and their duties as a member of the management board. Furthermore, Article 258(1)(g) of the Delegated Regulation is applicable, meaning that the undertaking must ensure that the assignment of the additional task as outsourcing manager does not or is not likely to prevent the relevant member of the management board from carrying out all their duties – including, where applicable, at other undertakings – in a sound, honest and objective manner. This requires sufficient time capacities, among other factors. In this regard, it should also be noted that the intensity of monitoring required of the outsourcing manager is significantly greater than that required of the management board. Reference is also made to Circular 11/2023 ( VA ) on the fit and proper assessment of the professional qualifications and good repute of individuals responsible for key functions or who carry out key functions, in accordance with the Insurance Supervision Act.

230 A member of the management board of the outsourcing undertaking may also act as an outsourcing manager if this management board member also works for the group undertaking to which the key function or task defined by the undertaking as a key task has been outsourced (these cases differ from those covered in margin no. 231). However, measures to avoid conflicts of interest in this respect must be taken where needed. The outsourcing manager cannot in any case be at the same time the competent person at the service provider.

231 In exceptional cases, it may be permitted to assign the task as outsourcing manager to a person who does not work at the outsourcing undertaking, but at the service provider or another undertaking, if that person is solely subject to the instructions of the management board of the outsourcing undertaking as far as their tasks as outsourcing manager are concerned and works below the management board level. Moreover, measures to avoid conflicts of interest must be taken where needed. In any case, the outsourcing manager and the competent person at the service provider must not be the same person (for the requirements regarding the professional qualifications of the competent person at the service provider, see Circular 11/2023 ( VA ) on the fit and proper assessment of the professional qualifications and good repute of individuals responsible for key functions or who carry out key functions, in accordance with the Insurance Supervision Act). Example: If a group undertaking operating as a service provider has at the same time established central outsourcing management that monitors and evaluates outsourcings (outsourcing controlling), the outsourcing manager may, in individual cases, work at the undertaking to which the activity was outsourced. This makes it possible for undertakings to establish the outsourcing manager centrally at the service provider or, in the case of intra-group outsourcing, with the central outsourcing controlling. The other requirements of this margin no. 231 and the requirements of margin no. 232 remain unaffected.

232 The question of whether a person, be it a member of the management board or a person working below the management board level, can at the same time be the outsourcing manager for multiple key functions or tasks defined by the undertaking as key tasks depends on the circumstances of the individual case. The higher the number of key functions/tasks affected, the more precisely undertakings must demonstrate that the selected structure is appropriate and how they ensure compliance with the requirements of Article 258(1)(g) of the Delegated Regulation (see margin no. 229).

233 The conditions stated above also apply to the outsourcing manager for the internal audit function. Article 271 of the Delegated Regulation is not applicable in this respect because the outsourcing manager does not perform the internal audit function within the meaning of this provision.

13.6 Intra-group outsourcing

234 The requirements regarding outsourcing also apply to intra-group outsourcing. The following requirements for intra-group outsourcing apply accordingly throughout the entire affiliated group.

235 Intra-group outsourcing must not generally involve less care or less intensive monitoring. Furthermore, intra-group outsourcing cannot automatically be categorised as “not significant”.

236 Nevertheless, intra-group outsourcing may justify some simplifications, the characteristics of which are to be determined on a case-by-case basis. A few examples are provided below.

237 A written agreement which sets out the rights and obligations of both parties in relation to the outsourcing may, for instance, take the form of a service level agreement, provided its contents were not addressed in formal contract negotiations, as is normally the case before a contract is concluded with an external service provider.

238 Under certain circumstances, the review of the intra-group service provider prior to the outsourcing decision may be less detailed than the review required for a service provider from outside the group. However, it must always be checked whether a conflict of interests exists.

239 Undertakings must avoid systematic recourse to an intra-group service provider. The reason is that even an intra-group service provider is at risk of providing highly standardised services without taking the special features of the individual undertaking adequately into account.

240 If functions or insurance activities are outsourced within the group, there must be precise documentation regarding which legal entity has outsourced which function or insurance activity and to which service provider.

13.7 Outsourcing to insurance intermediaries

241 Although they are normally of a permanent duration, typical intermediation activities are not subject to outsourcing requirements. As a rule, a typical intermediation activity exists if no authorisation has been granted to conclude contracts or settle claims.

242 The transfer of underwriting powers or of authorisations related to claims settlement to insurance intermediaries always constitutes the outsourcing of important functions or insurance activities. In this respect, undertakings are not free to exercise discretion. It should be noted that, in accordance with the civil case law of the German Federal Court of Justice ( Bundesgerichtshof) (ruling of 14 January 2016, I ZR 107/14), insurance brokers are not permitted to settle claims.

243 In a case of partial outsourcing, the question of whether a partial outsourcing constitutes a significant outsourcing is governed by the statements in section 4. If an undertaking grants underwriting powers or authorisations related to claims settlement to a large number of insurance intermediaries, this will require an overall assessment.

13.8 Outsourcing policy

244 A written policy must be drawn up for the entire area of outsourcing. This must cover the impact of outsourcing on business operations and the procedural and quality standards to be applied individually to each undertaking in cases of outsourcing, along with the reporting and monitoring requirements to be implemented from the beginning to the end of the outsourcing process.

245 The written policy must be consistent with the undertaking’s business strategy.

246 The written policy must include a process for reviewing the relevant service provider. At a minimum, the written policy must cover the following aspects of the process:

the service provider’s financial performance, the service provider’s technical abilities, the service provider’s ability to provide the services outsourced, the control framework and any conflicts of interest.

247 In addition, undertakings must independently determine in the written policy whether any further aspects need to be considered in the review process. If so, these aspects must be adapted in the event of changes in the undertaking’s internal or external circumstances.

248 The outsourcing policy must show how the continuity and undiminished quality of the functions and insurance activities outsourced can also be ensured in the event that the contract with the service provider is terminated.

249 The written policy must include the requirement to develop contingency plans for important functions and insurance activities outsourced that deal with disruptions that may occur at the service provider. The policy must also describe the process and responsibilities for drawing up these contingency plans. The plans must specifically account for how the important functions and insurance activities outsourced can be assigned to a different service provider in an emergency situation or how they can be reincorporated into the undertaking’s business operations.

250 In all other respects, the principles stated in section 4 apply to the written outsourcing policy.

14 Business continuity management

251 Business continuity management increases the resilience of units and processes in the undertaking in order to ensure in potential crisis situations that material data and functions remain available and to guarantee that business activities continue on the basis of processes defined beforehand.

252 The management board is responsible for operational business continuity management. The full management board must agree on the contingency planning.

253 Contingency plans must be created for those units and processes where an unforeseeable disturbance could constitute a risk to the continuation of business activities. Due account must also be taken of the tolerable downtimes and recovery times. The units and processes outsourced must be taken into account for business continuity management purposes. The adequacy and effectiveness of the contingency plans must be ensured on an ongoing basis. Regular test runs or exercises must be carried out for this purpose in accordance with the risks of the relevant unit or process.

254 The contingency scenarios underlying the contingency plans must take adequate account of the undertaking’s individual risk profile.

255 Both the contingency planning and the management of a contingency must be incorporated adequately into the organisational and operational structures and processes. Tasks, responsibilities, information obligations and escalation processes must be set out and documented clearly and comprehensibly.

256 The individuals affected must be familiar with the contingency plans. The availability of the contingency plans must also be ensured in the event of an emergency.

Did you find this article helpful?

Feedback

Your feedback helps us to continuously improve the website and to keep it up to date. If you have any questions and would like us to contact you, please use our contact form.

Rating

helpful

less helpful

Do you have any further feedback?

Comment ( max. 1000 characters):

Mandatory field