Travel Risk Management Toolkit Overview

 

Travel Risk Management & Duty of Care

Travel Risk Management (TRM) is the practice of identifying, assessing, and mitigating risks associated with travel. Its primary goal is to ensure the safety and well-being of travelers. TRM encompasses a wide range of activities including destination and/or profile specific risk assessments, travel policy and procedures, a pre-trip approval process, traveler training, utilizing tracking technology to locate travelers, health and medical preparations, contingency planning for emergency situations, insurance, crisis communication capabilities, and post-travel evaluations. An optimized TRM program should be primarily proactive and aim to identify and mitigate potential threats before they occur while also having the necessary resources and procedures in place to react in case of unexpected incidents or emergencies.

A robust TRM program enables an organization to fulfill its Duty of Care. Duty of Care refers to the legal and moral obligation of an organization to do everything reasonably possible to ensure the health and safety of employees. This includes taking action to reduce the likelihood and impact of medical and security incidents, providing travelers with information on potential threats, offering training and support, and having emergency plans in place to address any foreseeable crises that may arise during travel. While organizations have always had a Duty of Care to their employees, the 2021 release of ISO 31030 - “Travel Risk Management - Guidance for Organizations” by the International Organization for Standardization set the first international standard for managing travel risk. The release of this standard could affect an organization’s legal liability if they fail to comply with the new guidelines.
 
While Duty of Care is the overarching legal principle that establishes the organization’s obligation to prevent harm or injury to employees, Standard of Care is a legal term that refers to the degree of care a reasonable and prudent individual or organization would exercise in a particular circumstance. Basically, Standard of Care sets the benchmark for what is considered a reasonable or acceptable level of care in the given context and can vary depending on the circumstances and the specific business activities of the organization involved. In legal cases, it is often determined by established practices within a given industry. Simply put, an organization can be held liable for not providing the Standard of Care applied by similar organizations. This means that the Standard of Care is a moving target and organizations need to be aware of new practices adopted within their industry.

Having a well-structured TRM program is essential for ensuring the safety and interests of both employees and organizations during travel. Benefits of a comprehensive TRM program include:

  • Protecting personnel and assets;

  • Reducing legal and financial exposure;

  • Facilitating business operations in high-risk locations;

  • Enhancing an organization’s reputation and credibility;

  • Increasing worker confidence;

  • Improving business continuity capability and organizational resilience;

  • Increasing general productivity;

  • Attracting and retaining employees.

Where to Start – Understanding the Organization

There is no one-size-fits-all approach to TRM because the specific needs and risks associated with business travel can vary significantly among organizations. While ISO 31030 does provide a structured approach to the development, implementation, evaluation, and review of a TRM program, application of this standard must take into account the unique organizational context.

Before creating a TRM program, an organization should understand:

  • Its operational context including internal and external factors that can impact its ability to fulfill TRM program objectives;

  • The industry in which it operates and how this can affect the risks faced by travelers and its Duty of Care obligations. It should be familiar with relevant legislation and regulatory requirements that apply to the industry in the countries in which it operates;

  • Its risk profile and the evolving TRM landscape in which it operates. A comprehensive assessment should be conducted that considers the organization’s TRM objectives in relation to the context of the organization, the business sector, operational intricacies, travel destinations, and the profiles of individual travelers.

Achieving a balance between an organization’s business objectives and the measures required for effective risk management is imperative. An organization should assess the level of risk it is willing to accept in pursuit of its business goals, while implementing effective risk management measures. The risk management approach should be informed by the nature and magnitude of the risks faced by an organization. An organization with infrequent travel to low-risk destinations will require a different risk management approach than one regularly operating in high-risk destinations.

iJET’s Travel Risk Management Maturity ModelTM (TRM3TM) is an excellent resource for assessing and benchmarking your organization’s TRM maturity, and is available within the GBTA Resource Library.

TRM Team and Third-Party Providers

The TRM program should be managed by a team with the necessary expertise. The TRM policy should detail the responsibilities of internal and external stakeholders who have a role in supporting routine operations as well as emergency/crisis situations (see Table A1 for examples of internal and external stakeholders). It should be noted that while responsibilities for risk management may be delegated, top management retains ultimate accountability. The TRM policy should also outline the responsibilities of travelers to adhere to the prescribed guidelines, a concept often referred to as “Duty of Loyalty”.

Assessing an organization’s risk profile will help inform the extent to which the risks can be managed by the organization’s own resources or if support is required from third-party providers. This is an important consideration when developing and implementing a TRM program. Partnering with a third-party TRM provider can be valuable but its suitability depends on the organization’s specific circumstances and needs. Potential benefits of TRM providers include providing expertise, risk assessments, 24/7 support, global reach, access to advanced technology for tracking travelers and monitoring global events, training and educational resources, and cost efficiency. However, there are situations when partnering with a TRM provider may not be necessary or cost-effective. For example, an organization who primarily engages in domestic or low-risk travel or an organization who already has adequate in-house expertise in travel risk management.

There are important considerations when partnering with a TRM. One potential risk is over-reliance on a TRM provider, leading to complacency in organizational and individual responsibilities for safety. It’s important to remember that having a TRM provider is not a full solution and should be part of a broader approach that includes internal policies, procedures, employee training, and collaboration with stakeholders to create a comprehensive solution to travel risk.  Furthermore, certain TRM providers might offer standardized solutions that may not fully align with the unique needs or risk profile of the organization. Another obstacle when partnering with a TRM provider can be obtaining employee buy-in. Getting employees to fully engage with the TRM provider and understand the TRM procedures is critical for an effective TRM program.

Organizations must weigh the potential benefits against the costs and consider whether the services offered align with the security priorities of the organization. A TRM provider should complement, not replace, individual and organizational responsibilities for travel security.

TRM Basics

When starting your journey into TRM, the following information lays out the basics your program should cover.

Planning
Planning requires an organization to define its overall TRM strategy. As noted above, an organization must create policy that aligns with the organization's goals, culture and risk profile. TRM should be integrated with an organization's Crisis Management Plan, Business Continuity Plan and Travel & Expense Policy. Developing a comprehensive plan allows an organization to be proactive rather than reactive. At a minimum an organization’s plan should include kidnap and ransom planning, evacuation planning, and strategic/emergency communications.

Training
Training refers to an organization developing its employees' skills and knowledge so they can perform their roles effectively and efficiently (travelers and travel management team). There are three main areas of training an organization’s TRM program should address:

Traveler Training: This entails providing travelers with basic pre-travel knowledge like personal safety tips, destination-specific information, health precautions, emergency procedures, etc. Many third party organizations offer rudimentary security and medical travel training via online modules. For travel to higher risk destinations, additional security training like Hostile Environment Awareness Training (HEAT), executive protection, situational awareness and anti-surveillance techniques may be required.

Travel Advisor/Professional Training: This should be offered to all professionals in an organization who have a role in the delivery of the TRM program including travel, security and human resources staff. It should cover TRM systems and processes so all staff are aware of what is expected of them to prevent or address an emergency.

Crisis Management Team Training: An organization should run regular (at minimum annually) simulations and drills to ensure the crisis management plan and procedures are executed efficiently. Be sure to include backfills and keep the list of established point-of-contacts (POCs) up-to-date.

Monitoring/Traveler Tracking
A TRM program needs to have systems and staff in place (internal and/or external) to provide real-time monitoring of potential threats to an organization’s traveling population. Thus, it is critical that an organization knows exactly where their travelers are at all times. There are three main traveler tracking methods:

Itinerary Based: Often integrated with the TMC, these systems collate booking information relating to travelers’ PNRs. However, these are only an indicator of where a traveler should be, depending on the risk level in the destination, supplementing this with a check-in system can provide more accurate data.

Expense Based: These systems monitor expenditure and sometimes itineraries. Often only report on where a traveler was post trip.

Technology Based: These systems use technology to track, monitor and record movements and precise locations. This includes devices like SPOT and inReach. They can provide the most accurate data as to where the traveler is, however, they can be compromised by user capability (i.e. not carrying the device), or during an incident. Often this method is utilized in high to extreme risk locations only.


Response
Incident response requires TRM programs to have a resource in place that travelers can contact 24 hours a day 7 days a week. This could be an emergency line staffed by an organization's security department, or a third party provider of medical/security assistance for any issues or emergencies. Your program should include clear escalation procedures if there is an incident with a traveler. These procedures should integrate with your organization’s crisis or incident management processes.

Feedback
Lastly, feedback, often forgotten, is an important TRM component that requires an organization to have a sufficient process in place to review incidents to determine if they could have been prevented and if not, if they were handled effectively. These are commonly called After-Action Reviews, and should be conducted with the key stakeholders of the crisis management team and the traveler. This can be conducted by surveys or debriefs and should be used to inform change in policies, plans, and procedures.

Continuous Improvement and TRM

An organization should establish a system to evaluate, monitor and review the effectiveness of its TRM program and identify strengths and weaknesses to guide further development and improvement. At a minimum, a full review should be conducted annually, focusing on improvement and incorporating the lessons learned from the previous After-Action Reviews. If an organization has contracted a third party TRM provider, they should be included in the review. Organizations may choose to undergo more frequent reviews triggered by: new travel destination(s), a change in the risk level in an existing location (political, health, natural), change in organizational profile or demographic of travelers, legal or regulatory requirements, or a significant incident in the organization or industry.

There are several methods an organization can implement in their TRM program for effective feedback and continuous improvement including:

Surveys: It should be designed to identify gaps, improve program effectiveness and highlight changes in conduct, compliance and security culture. It should cover pre-travel approval, briefings, support during travel, and post travel-briefings. A short survey sent to travelers annually or every 180 days based on the last date of travel may produce more useful data than a voluntary survey.

Benchmarking: An organization should regularly engage in benchmarking exercises with similar sized organizations, industry and geographical exposure not only to share knowledge and compare providers but to ensure continuous improvement. Travel Managers can also contact GBTA’s Global Risk Committee for additional information or input.

Metrics: To effectively evaluate a TRM program, an organization should identify and track key performance indicators to provide stakeholders with actionable metrics. These can include traveling population (number of travelers, types, etc.), travel by category (risk rating, date, locations), number of pre/post travel debriefs conducted, number of trips rejected due to risk, training provided (classes, online modules, etc.), incident rate and response time, costs, third party service provider performance (logistics, security, medical emergency, etc.), and traveler compliance.

Conclusion

As the world becomes increasingly interconnected, the need for robust TRM practices has never been more apparent. From natural disasters to health emergencies, geopolitical instability to cyber threats, the risks associated with travel are diverse and evolving. In this context, TRM acts as a shield, allowing organizations and individuals to navigate these challenges with confidence.

The adoption of TRM is not a one-size-fits-all process. It requires tailored solutions that consider the unique needs of an organization and its travelers. Moreover, staying up-to-date with emerging risks and technologies is paramount for the success of any TRM program.

Ultimately, Travel Risk Management is an investment in the safety, security, and well-being of travelers, and it also contributes to an organization’s reputation and bottom line. As the travel landscape continues to evolve, the commitment to effective TRM is not an option, but a strategic imperative. By diligently preparing, equipping and supporting travelers, organizations can not only mitigate potential risks but also foster a culture of preparedness and resilience.

Appendix
 

Table I - Example of Internal and External Stakeholders (International Organization for Standardization, 2021, page 7)

 

Internal Stakeholders External Stakeholders
  • health and safety/environment, 
    health and safety/occupational, 
    health and safety
  • marketing and
    communications
  • insurance
    providers
  • corporate security/information security
  • board of directors
  • travel management companies
  • data privacy
  • procurement and sourcing
  • travel risk management companies
  • business continuity
  • compliance
  • appropriate government agencies
  • crisis management
  • operations
  • regulators and emergency services
  • incident management
  • workers/students
  • providers and sub-providers
  • corporate social responsibility/sustainability
  • insurance
  • clients
  • global travel/corporate travel
  • finance
  • travellers' designated emergency contact
  • human resources/internal mobility/training
  • audit
  • travellers' dependants
  • regional management
  • legal
  • local partners or communities
  • risk management
  • unions/workers council
  
 
  • travel and mobility
  
 
  • medical
  
 
  • security
  

References

iJET International. (2011). Travel Risk Management Maturity Model - TRM3 (iJET/WP-0012-02). Travel Safety Toolkit: Evaluating


International Organization for Standardization. (2021). Travel risk management - Guidance for organizations (ISO Standard No. 31030:2021). iso.org/standard/54204.html 

Continue to Glossary

Continue to Module 1: Communications

Table of Contents