Travel Risk Management — Guidance for Organizations
ISO 31030: 2021 Edition
The ISO, International Organization for Standardization, is a worldwide federation including members from international organizations, governmental and non-governmental entities with the intent to provide guidance to assist those managing and participating in organizational travel. In late 2021, ISO documented their 58-page recommendations for Travel Risk Management which is available and may be obtained by purchase here.
To support your initial needs, Travel Incorporated has highlighted the framework and key points to assist our clients as you and your team reviews and amends your Travel Risk Management Program.
Why Risk Management
Travelers, whether international or domestic, can be faced with unfamiliar situations and environments that have different risk profiles to those of their normal location. It is the company’s responsibilities to promote a culture where travel-related risk is taken seriously, resourced adequately, and managed effectively. The Risk Management departments should endeavor to anticipate situations, assess events, design policies and then communicates potential risk exposures to their travelers.
It is recommended that organizations use a blend of both internal resources and external assistance to proportionately address risk levels and exposure. As outlined by ISO, the recommendations included in this summary proposes that the organization’s overall appetite and acceptance of risk should not take precedence, or be used exclusively, in deciding whether travel is appropriate for security, safety or health reasons.
- Understanding Operational Context
- Managing Travel Risk
- Risk Assessment and Treatment
- Monitoring, Reporting and Communication
Understanding Internal and External Operational Context
It is important that an organization has a clear understanding of the factors that can affect or influence its risk management objectives, including the external and internal context in which it operates.
|Political, Social-Economic||Quality, availability and reliability of Transportation and Telecommunications||Quality of local health infrastructure and medical care|
|Cultural, Religious/Ethical Legal or regulatory factor||Susceptibility to Natural Disasters||Information/Cyber security|
|Political Violence, Terrorism, Insurgence||Effectiveness of public and private security and emergency services||Quality of hotel/accommodations|
|Violent and Petty Crime||Potential for Health hazards||Ground and Road conditions|
|Organization’s vision, mission, values and culture||Governance, Structure, Roles responsibilities and Accountabilities||Strategy, Objectives, Criteria and Policies|
|Range of travel activities and traveler competencies||Resources and tools to manage travel risk||Data, information Systems and Flows|
Managing Travel Risk
Managing travel risk encompasses a combination of Leadership responsibility and accountability, Policy design and enforcement, Setting Objectives and establishing the program, Implementation.
Leadership: Executive management should set the commitment and support of the program by taking accountability for the effectiveness of the process, ensuring the policy and objectives are established within the strategic direction of the company, and ensuring resources and logistics are in place to properly monitor and implement the program.
Policy: The risk management policy as a standard should define the risk management principles, is in alignment with the needs and resources of the company as well as the business continuity and travel procurement policy and then effectively communicated to the business travelers. The policy should outline risk assessment processes, risk criteria, as well as relevant legislation. The policy should include whether or not the booking was made as a travel policy exception, refer to both on and off-duty time during the journey, including personal leave if travel is combined with business and leisure and if a companion is traveling with the employee.
Setting Objectives: The primary objective is to ensure travelers can perform their role optimally in a safe and secure environment and to have procedures in place to respond in the event of an emergency.
When establishing a program, the plan should include the following:
- Obtain support from leadership, engage internal and external stakeholders and provide the resources required to manage the program
- Outline key process, their interactions, and if the risk program is standalone or part of a broader structure
- Establish roles and responsibilities with the implementation and ongoing management
- Ascertain actions to ensure the health, safety and security risks can be monitored and budget is approved for any related operational requirements. Actions may be in direct relationship to the company’s risk profile in relation to travel risk destinations as follows:
- International and Domestic travel, including if the home country contains areas of risk to travelers
- Provide comprehensive list of categories of risk, for example direct risk to personnel such as injury, theft, kidnapping or death; legal risk (criminal or civil), business continuity and risk to reputation, financial, and data
- Agree on criteria for decision-making if a difference of opinion related to the level of risk is under question.
Implementation: The company should create the implementation plan to include
- Destination and time frames: Classify destinations based upon an up-to date risk assessment considering both the city itself, as well as regions as the risk level can vary significantly within the same country. Take into consideration dates for events that can have influence on the health.
- Traveler-related issues: Particularly attention should be paid to minors traveling without legal guardians, clarifications of how risks are to be managed for risks arising during off-duty of personal leave time, and assess relevant training requirements pre-trip.
- Processes: Procedures need to be clear and effectively communicated to travelers. These processes include the establishment of written documentation for protocols provision of security awareness and procedures for pre-travel authorization including booking of travel and accommodation. Attention to collection and analysis of relevant information obtained from both in-house and external party providers.
- Incident management: Your organization must have an incident and crisis management team of competent staff that are responsible for communication with instructions and authorization to act when, and how, appropriate.
Risk Assessment and Treatment
Risk assessment is the overall process that includes risk identification, analysis and evaluation. This will vary by company, but structurally takes into consideration the purpose, security threats, and hazards.
The purpose of the Risk Assessment is to identify the risk, likelihood of an event occurring and the range of consequences if it does, as well as the significance of the risk to the traveler and organization. The assessment should prioritize risks that require action, enable the organization to make informed decisions as to whether to permit the planned travel, and then communicate protocols to the traveler.
Security threats during travel
- Crime, ranging from opportunistic petty crime to organized kidnapping for ransom
- Terrorism and Cyber crime
- Activism, state oppression/repression, social engineering or aggressive and/or negative behavior based upon personal profile of the traveler or organization
- Health hazards related to infectious diseases and outbreaks, local hygiene conditions or food-borne illness
- Transportation incidents or incidents due to the environment (adverse weather)
- Industrial disasters such as explosion or fire
- Unintentional/negligent activities
Based upon the risk assessment, companies should ensure that controls address risks prior to, during and after travel is completed. It is important to recognize the importance of risk avoidance through approval authorizations in relation to the risk assessment parameters and restrictions as identified by the program. The treatment must take into consideration risk sharing with 3rd parties and the associated liabilities within the contract, as well as the need for adequate insurance cover being in place.
Reducing risk within the treatment of the program takes into consideration the sources of travel not only to the destination, but accommodations, route, itinerary and duration of travel with the available access to critical infrastructure and local resources including medical treatments and specific medical response plans to those travelers with special needs.
All risk treatment programs should ensure special considerations should be made to ensure the security of data, information security and privacy protection.
Monitoring, Reporting and Communication
Companies should develop procedures to enable travelers to communicate urgently should they have any safety, security or health matters. Clear processes for urgent requests for assistance must be in place and clearly communicated to all travelers. These procedures include references to those best positioned to provide immediate support and will vary depending on the nature and severity of the incident or emergency.
Traveler Tracking: Knowing the planned destination, or current location of travelers is essential to warn of threats and hazards, and to protect them during and after an incident. Three methods whereby travelers can be tracked include:
- itinerary-based: systems that consolidate booking information related to air, rail, ground transportation and accommodation
- expense -based: these systems monitor expenditure as to where the traveler has been, but is not a real time monitoring option and should be used in association with other tracking processes
- technology-based: the use of technology to track, monitor and record movements and precise location (ex: geo-tracking). This provides the most accurate data but is subject to availability, user capability and power and connectivity requirements.
Kidnap, Ransom and Evacuation Planning: Preparation and response for kidnap, ransom and evacuation necessities must be predefined in the management planning. Options for consideration include ransom insurance as well as specialist insurance where legal. The plan should also include the ability to confirm the identity of the traveler in cases of kidnapping, abduction or detention, including ‘proof of life’ documentation.
Evacuation planning in partnership with third-party providers is recommended and is used for relocation needs, sheltering in place, as well as in response to medical emergencies, political instability or natural incidents.
Traveler Communication: The agreed Risk Management policy and procedures should be effectively communicated throughout the company so that travelers and managers understand and are aware of the travel risks and how the organization controls and manages them.
Prior to departing, travelers need to be aware of and understand:
- the actual or potential impact of travel risk on their work, safety, security and health
- the risks the traveler can be exposed to during travel and how to identify them
- how they can effectively manage their safety, health and security
- the benefits of following the Risk Management policy and procedures, as well as the implications of not doing so
- their requirements to be engaged in the company’s duty of care policies and procedures
If third-party providers are used by the organization, the traveler should be aware of how these partners support the duty of care program and the purpose of their involvement with the company and the traveler’s individual safety and security.