As I wrote this tutorial, I kept thinking about Bilbo’s warning:
“It’s a dangerous business, Frodo, going out your door. You step onto the road, and if you don’t keep your feet, there’s no knowing where you’ll be swept off to.”
This document started off as a simple highlights list for travel risk management (TRM), but during the writing process, it became an in-depth tutorial encompassing most areas within TRM. The document can now be seen as a guide to implementing your first travel risk management program with some interesting anecdotal facts for the more experienced reader.
I would like to send a special thank you and express my deep appreciation to Bruce McIndoe, the founder of iJet/WorldAware, for his valuable input. Bruce is a legend within the industry and one of the most knowledgeable people within Travel Risk Management. This tutorial was greatly improved thanks to his insightful feedback.
Andreas Rodman, Co-founder Safeture
The ISO standard 310301 for Travel Risk Management defines travel risk as the “effect of uncertainty on objectives due to travel,” which sounds very clinical. I prefer to say that travel risk management (TRM) is about making work-related travel safe for employees, consultants, contractors, interns, expats, and all other types of personnel. TRM is a big collection of processes and tools that involves many aspects and functions.
In this whitepaper, I will provide a bit of guidance on what I believe are the most important components and how they could be set up, such as travel approval, booking process, travel policies, pre-travel information, education, insurance, locating employees, emergency communication, emergency assistance, security aspects, medical aspects, and more.
TRM itself is part of a broader area of risk management related to personnel and is sometimes referred to as people risk management or employee risk management. With the strong positive trend towards remote work, allowing employees to work from anywhere, the definition of work-related travel becomes fuzzy. However, in this paper I will focus on the classic definition of TRM. I hope to discuss the broader aspects of people risk management in future articles.
I’m New to TRM; Where and How Should I Start?
However, if you are looking at setting up a TRM program for your organization and you have no previous TRM experience, then I strongly recommend using an external TRM supplier. TRM programs can range from simple to extremely complex depending on your organization’s needs, and the ISO 31030 standard provides poor guidance for non-experts on understanding your specific needs.
On top of that, TRM is a vast field that requires extensive knowledge and many types of functions. Therefore, implementing and maintaining your own TRM solution all by yourself can be very expensive.
Fortunately, there are many TRM suppliers in the market with tons of experience. TRM suppliers often have solutions designed for different types of organizations ranging from small one-office firms whose employees travel a few times per year to large international organizations with thousands of travelers each month.
Many different frameworks can be used to structure a TRM program. Which framework you select, or whether you select one at all, is not important. What is important is that you include the most crucial parts of a TRM program. Thus, the primary purpose of a TRM framework is to guide you in including these necessary aspects.
For the sake of clarity, in this tutorial I will use the ISO 31030 TRM framework that refers to the ISO 31000 standard because it is part of an official standard, even if other frameworks might be simpler to use.
This tutorial will focus more on setting up a TRM program and less on main-taining the program. Following the ISO 31030 standard framework, this setup focus means primarily looking at “Leadership and Commitment,” “Design,” and “Implementation,” which can be seen in the framework image (Figure 1).
Download the e-book here
A tutorial on Travel Risk Management.
Why Is There a Need for Travel Risk Management?
The need for travel risk management is driven by several factors:
- Legal responsibility (duty of care)
- Moral responsibility and employer ethics
- Retaining and attracting employees
- Other factors
The commonality among all the drivers above is that they begin with the leadership of the organization. This is why “Leadership and Commitment” is at the center of the TRM framework shown in Figure 1.
Legal responsibility (duty of care)
In most countries, the organization as an employer has a responsibility to care for its employees during work. This responsibility extends to work-related travel since travel is part of the work assignment, and the responsibility remains with the employer even if the person is doing their work in a different location.
For non-employees such as consultants and contractors, the responsibility is less clear and varies, but for simplicity’s sake, in this whitepaper, “employees” will mean both employed and non-employed personnel unless stated otherwise. Similarly, “employer” or “organization” will mean the legal party responsible for assigning work tasks to a person, no matter if the agreement with the person is through an employment agreement or a different type of agreement.
Duty of care is a term often associated with travel risk management. Duty of care in TRM has not been clearly defined, but a good description is the employer’s legal and moral responsibilities for employees during work-related trips.
Legal responsibility means employers in many countries may be liable for damages if an employee is injured or killed during a work-related trip. A properly executed TRM program provides a legal defense if that happens.
Moral responsibility and employer ethics
Moral responsibility and employer ethics involve the employer ensuring, as a fundamental decency when sending an employee to a destination, that the destination is safe, the trip is safe, and that if something were to happen at the location, the employer will assist the employee.
Retaining and attracting employees
Retaining and attracting employees is part of employer branding, and it is crucial to be seen as a good and caring employer in order to keep existing employees and recruit new people.
Of these factors, legal resonsibility is the most prominent driver behind companies implementing a TRM program.
Legislation and legal cases
The legal responsibility of employers to care for their employees is old and well-established in most countries. Many countries today have extensive duty of care legislation on how to protect employees, subcontractors, and other types of workers.
The duty of care laws and the formal legal responsibility for business travelers varies depending on the local legislation, but it is a common trait that countries with strong labor laws usually have stricter legal demands regarding travel risk management.
Although it is rare that companies face legal penalties, there are multiple legal cases where employers have been fined or paid damages due to lack of TRM when an employee or worker has been injured or kidnapped, died, or has had some other major incident during work-related travel. By implementing a proper TRM program, the employer can appropriately manage the legal responsibility, and the risk of having to pay damages or fines is mitigated.
- A French subcontractor named Thierry died in a terrorist attack, and the company, which did not have an adequate duty of care program for expats working abroad, had to pay 129,000 EUR in damages.
- A Norwegian NGO had to pay 420,000 EUR in damages to an employee named Steve Dennis for failing in its duty of care.
- An American student got a tick-borne disease resulting in life-altering neurological damage during a school trip to China. The school then paid 41.5 million USD in damages due to failure in the travel duty of care. This case went up to the U.S. Supreme Court, which ruled in favor of the student, thereby cementing the legal grounds that U.S.-based organizations are liable for damages when failing in the area of travel risk management.
Since legal penalties are rare, albeit steep when they are applied, many organizations unfortunately believe that the legal demands for a safe workplace only apply when the employee is working in the physical facility used by the organization (store, factory, office, etc.). However, workplace laws apply to the location in which the employee needs to perform their work tasks, no matter where that may be.
This means if the work includes travel, then the car, train station, train, airport, airplane, taxi, hotel, and final travel destination, including the restaurant for dinner in the evening, are all part of the employee’s workplace, and it is the employer’s responsibility to make sure the employee has a safe work environment throughout all parts of the trip, including to and from the destination.
Unclear legal responsibility boundaries
In many countries, the employer is responsible for the employee 24/7 from the second they leave their home for work-related travel until they are back at home. This creates a complex situation when the employee is doing leisure activities during their work travel, and the situation is so common that the term “bleisure travel” has been minted for travel that combines business and leisure activities.
Bleisure travel requires clear organizational policies that define the lines of responsibility between work and leisure activities. Travel insurance is also affected by bleisure travel; the organization’s travel insurance company, in many cases, will not cover costs for incidents resulting from leisure activities during work travel.
Managing the entire risk
After an organization has grasped the legal responsibility of work travel, a common mistake is implementing a TRM program that only covers the most common travel risks, thereby still exposing the organization to the risk of legal damages for less common risks. This will be discussed further under the section “Inadequate solutions” below. Even in the U.S., where worker’s compensation insurance is considered ironclad protection, there are, in fact, gaps in the worker’s compensation insurance related specifically to work travel.
Remote worker trend
It is also interesting to note that as the remote worker trend grows, the employer’s legal responsibility for out-of-office work is becoming blurred. For example, in a case in Germany, it was considered a work accident when an employee tripped while walking from his bedroom to his home office in his own home.
Duty of care compliance
The main business driver for establishing a TRM program is duty of care compliance. Corporate management often decides to establish and maintain a TRM program to mitigate the risk of lawsuits or other damages.
A common catalyst for implementing or improving a TRM program is having a problematic incident. After the incident, the organization looks at what happened depending on whether there was a TRM program in place or not. If there was no TRM program, then the incident often becomes the starting point for establishing a TRM program.
If there was a TRM program in place, then an evaluation begins to understand what went wrong and what went right, which often results in strengthening the TRM program. These types of incidents often involve a single employee who was severely injured, exposed to a major risk, or kidnapped abroad.
Some organizations operate in high-risk areas, resulting in frequent incidents. These organizations often have extensive TRM solutions since they have a long history of incidents and know that the probability of having new incidents in the future is high.
For example, companies providing infrastructure solutions such as power supply and mobile communication need to operate all the time, in all areas, including conflict zones and natural disaster areas. The irony is that these types of companies often bring employees into these high-risk areas to rebuild infrastructure as other organizations evacuate employees from the same area.
Some TRM programs are driven more by ethics and organizational culture than by compliance. Organizational ethics originate from top management. This means that top management believes that protecting its people is part of the organization’s core values, and the organization is prepared to invest resources into providing that protection.
This is often combined with other employee policies that allow the organization to be seen as a good and caring employer. Ethics-driven TRM programs tend to be better implemented since they are often provided with more resources than required to fulfill the minimum demands for a TRM program.
The ISO 31030 TRM framework shown above in Figure 1 begins in the center with Leadership and Commitment. When top management is committed, it results in understanding how to integrate a TRM program with the organization’s daily needs, which is then followed by designing and implementing the TRM program.
Looking specifically at design and implementation, there are a vast number of ways to design and implement a TRM program that results in many different solutions to fulfill the needs of your organization.
To give you an overview, I have listed some common solutions and categorized them into two groups:
- Inadequate solutions are solutions that provide some level of TRM but, in many experts’ opinion, will not fulfill your duty of care and leave you open to lawsuits and other financial risks. These are also solutions that are poorly aligned with good employer ethics.
- Adequate solutions are solutions that provide good protection for your traveling employees and align well with strong employer branding and good employer ethics.
The most common TRM solution today is to have only insurance, such as travel insurance, which is the standard solution for smaller organizations.
Even though insurance is a good start and a necessity in a TRM program, it is unfortunately not enough. Smaller organizations usually do not realize that they need more because having few employees means the probability of something happening is low, and when it does, small organizations are often flexible enough to manage the problem ad-hoc. However, even if you can manage things ad-hoc using only travel insurance, you will not fulfill your duty of care, and a major employee incident abroad might have a severe financial impact on a small organization.
Travel insurance, or similar, offers good coverage of medical emergencies and provides employees with a number to call in case of a medical emergency. However, for non-medical incidents, such as natural disasters, kidnappings, physical threats, hotel burglaries, robberies, civil unrest, political conflicts, chemical accidents, etc., standard travel insurance does not provide any help unless the employee is injured in the incident.
Additionally, some types of medical incidents, such as pre-existing medical conditions, alcohol-related accidents, or injuries from risk-prone activities (riding a motorbike, extreme sports accidents, being injured when traveling to destinations against government recommendations, etc.), are often excluded from travel insurance.
The fact that travel insurance does not cover many types of frequently occurring incidents is the main reason why it is not enough to only have insurance and why organizations need to add more to their TRM solution to provide proper risk coverage.
If an organization only has travel insurance, then the organization is at high risk of paying damages and other related high costs for work-related travel. Adding to the issue is employer branding; the organization carries the risk of becoming known as having poor protection for employees who travel for their work.
Basic managed solution without assistance
Basic managed solutions without assistance are commonly found within mid-size companies where a manager or a small group of managers are equipped with only a travel tracker and travel insurance.
The key component in creating a managed solution is to keep track of all work travel. Common solutions include assigning a designated travel management company (TMC) to book all travel or having an internal travel manager arrange all travel. A travel tracker is added to the solution that enables the management to search and list all booked travel to help the workflow.
This setup allows the people responsible for TRM to look up who has traveled or will travel to a destination in case something happens, such as a natural disaster, conflict, or similar. The travel tracker allows the organization to answer the question, “Who do we have traveling there?” The setup should specify who is responsible for managing the situation when an incident occurs, which means that there will be a designated contact person for the employee.
A common problem with the setup of basic managed solutions without assistance is that the managers responsible for travel risk often have many other responsibilities, which means they are not available 24/7. Thus, they lack the resources and local contacts to assist employees on the ground in faraway countries. The result is, therefore, that it can take days for an employee to reach somebody to assist them, and when they do, the organization has difficulties helping them.
Since this setup often results in a poor and slow response that is ad-hoc or, in the worst case, no response at all, it is considered by many experts to be a solution that does not fulfill your duty of care and thereby has less protection for your employees and your organization.
Organizations that have selected a basic managed solution without assistance understand that travel insurance is not enough but have unfortunately invested too few resources to implement a proper TRM program. As shown in the ISO 31030 TRM framework above, it all begins with Leadership and Commitment in the center, which then translates into the integration and design of the TRM program.
Please note there are TRM implementations that may look like an inadequate solution on the surface but are, in fact, proper comprehensive solutions. The difference is that such solutions are implemented by organizations that have invested a lot into building a fully working 24/7 internal TRM assistance team with all the necessary associated processes. We will touch upon several of those processes in the section “Comprehensive managed solutions.”
Download the e-book here
A tutorial on Travel Risk Management.
Managed solution with only reactive assistance
Large organizations have the resources to build the entire solution internally, but TRM is complex and expensive, which results in most organizations selecting a fully or partially outsourced solution. It is also common to use multiple outsourced suppliers and combine them into an improved solution.
When selecting an outsourced solution, consider that the assistance provider must be able to manage both medical emergencies as well as security emergencies to properly fulfill your organization’s duty of care. Most assistance providers focus on medical or security, which is why some use multiple assistance providers. When combining assistance providers, clear processes need to be established, such as who is responsible for a case and how to migrate or coordinate cases between the assistance providers.
Outsourced managed solutions are popular since the organization can push much of the TRM responsibility to a sub-supplier, which minimizes the amount of work and knowledge required within the organization.
Below are some important checkpoints to verify the compliance of an external assistance provider offering a TRM solution. The provider(s) should be able to provide the following:
- 24/7 medical emergency assistance
- 24/7 security emergency assistance
- Established processes between all the active parties
- The medical assistance provider should be able to cover medical costs directly for medical assistance abroad and then manage the cost claims later with the insurance company or whatever the situation requires.
A managed solution with only reactive assistance is considered adequate from a duty-of-care perspective. However, its main disadvantage is that actions are taken after employees request assistance. This means that these solutions focus on managing incidents after the incidents have occurred. In other words, these TRM solutions are only activated if an employee reaches out to the assistance provider.
More comprehensive solutions, described below, focus on preemptive work by preventing employees from being exposed to risks or acting proactively when the risk changes due to some unforeseen event.
Comprehensive managed solutions
Comprehensive managed solutions look at all risks and create risk mitigation solutions for all travel phases ranging from travel planning to returning home.
The ISO 31030 standard provides a good complete list of everything you could want from a comprehensive solution. However, that list is very long and expensive to implement. In this section, I will highlight some of the key features I believe to be the most important and should be the foundation for a comprehensive solution. In my opinion, managed comprehensive solutions need to be automated as much as possible. Automation will keep the cost down and increase the quality since manual TRM tasks tend to result in human errors or be down-prioritized due to the high workload.
A work-related trip can be divided into three phases:
Comprehensive solutions often focus on the pre-travel processes with the rationale that the best solution is to not be exposed to risks at all and prevent incidents from happening in the first place through good planning and preparation. By focusing on the pre-travel, incidents can be avoided, for example, by planning a secure travel route and itinerary, adding secure travel services, education, vaccinations, accommodation selection, or even canceling the entire trip.
Comprehensive solutions are common for large international organizations or organizations with operations in high-risk areas. To quote a large international provider of essential infrastructure, “We never evacuate, we only relocate”—meaning that they move employees to safe areas within a country before a local conflict expands, thereby avoiding incidents even when they operate in countries with ongoing conflicts.
Pre-travel processes include many different methods of risk avoidance and risk reduction that prevent or minimize the risk of the employee having an incident at all.
The methods below are effective, not too complex to implement and maintain, and often used by large organizations:
- Automated integration between travel bookings and country risk levels to trigger travel approvals
- Pre-travel authorization
- Travelers registering with the TRM platform before departure
- Pre-travel medical approval
- Traveler safety and security e-learning
- Pre-travel and en route alerts
- Informing about country risk and related travel information
- Additional prebooked travel services
Automated integration between travel bookings and country risk levels
In an ideal world, all work-related trips should be reviewed and approved from a security perspective before any bookings are made, which is called pre-travel authorization. The reality is that few organizations have the resources, tools, and discipline to run an approval process before every trip is booked.
To be able to automate the pre-travel authorization process, a common solution is to categorize every country by risk level. The country risk level is then correlated with the travel bookings, so only bookings to high-risk countries trigger a pre-travel authorization process. With this automation, management can automatically filter which bookings should be scrutinized for pre-travel authorization.
For this type of integration to work, the organization needs to use both designated and integrated travel management companies or apply other tools to detect travel bookings. (These tools are discussed in the section “Outside travel policy bookings.”)
Pre-travel authorization, commonly called “pre-trip approval,” evaluates the travel plans from a security risk perspective to see whether the plan follows the TRM policy.
The approval process should look at all types of risk aspects, including destination, means of travel, accommodations, medical conditions, etc.
Pre-travel authorization from a travel risk perspective can be difficult to implement because the manager approving the trip from a business perspective is usually a completely different person than the person approving the trip from a travel risk perspective. Managers often approve trips from a business perspective without any understanding or thought of the travel risks. By integrating travel bookings and country risk levels, pre-travel authorization processes can be automated and thereby bridge the gap between the business perspective and travel risk perspective.
When integration is in place between booking and country risk levels:
- Designated travel management companies can block bookings to high-risk countries unless a pre-travel authorization is provided from a travel risk perspective; or
- A notification of the high-risk booking can be sent to the group responsible for pre-travel authorization.
The second option, with notification of all high-risk bookings, is the more common solution since it is easier to implement and requires less discipline, and is, therefore, more reliable. It is also the only solution that can automatically manage pre-travel authorization for out-of-policy bookings (see the section “Outside travel policy bookings” below).
When the group responsible for travel risk approval receives the high-risk booking notification, a process begins that usually includes initiating a dialogue with the traveler and the traveler’s manager to verify that the trip is necessary. The responsible group also starts all preparation required for traveling to the area, such as meet-and-greet, education, medical approvals, etc.
Travelers registering with the TRM platform before departure
The onboarding is a process that includes many components, and it is work that never ends. New employees need to be onboarded, and old employees might need to be onboarded again because they have forgotten what to do, lost the necessary information, or lost access to the TRM platform.
Some organizations set onboarding as a policy requirement for all work travel; others, unfortunately, treat it only as a recommendation.
Onboarding processes often include tasks like:
- Sending out instructions, information documents, and videos about the TRM solution and how to register with it
- Collecting employee contact information and other data to populate the TRM databases
- Informing employees to use a specific travel management company to guarantee that all bookings are collected by the TRM solution
- Distributing assistance cards for the traveler to have in their wallet
- Installing mobile apps connected to the TRM solution
- Integrating with human resource management systems or identity platforms to automatically collect employee data into the TRM solution
- Integrating a designated travel management company to receive copies of all travel bookings into the TRM solution
A good tip for achieving a successful TRM program is to have a structured onboarding process that is motivated by a clear travel policy demand.
Pre-travel medical approval
The second most common type of travel incident is health-related (travel disruptions being the most common).
A comprehensive solution can therefore assess whether a traveler is fit to travel from a medical perspective before departing to reduce the travel risk. This is especially important when the travel destination is an area or country with poor medical capabilities.
A good medical approval process should block travel if the traveler has medical conditions that are difficult to treat at the destination or could become critical due to the trip. Some work travels take the traveler far from major cities. So, even if good medical treatment exists within the country, the nearest adequate hospital might be very far away.
Medical approvals include challenges related to privacy rights. Employees are often reluctant to share medical information with their employer, and this type of personal data is classified as highly sensitive in many countries, requiring specific forms of collection and storage.
One solution to this problem is to use an external third-party travel approval provider that keeps all patient data confidential and only informs the employer about whether or not the employee is fit to travel to the destination. Pre-travel medical approval will also help mitigate the risk of insurance not covering medical care abroad for pre-existing conditions.
Traveler safety and security e-learning
Work-related travel is often complex and involves unique situations, making it impossible to prepare for all types of incidents that can occur. By increasing the traveler’s understanding and knowledge, however, many of these risks can be detected and avoided by the traveler during the trip.
Some organizations do traditional instruction-led education before the trips, but to create efficiency in the TRM program when there are many travelers, an e-learning solution can be used.
E-learning can include a test assessment phase to check if the traveler has understood the information. The results of the assessment can then be tied to approval phases or notifications so a traveler cannot travel to a destination without doing the e-learning courses and fulfilling the assessment criteria.
Pre-travel and en route alerts
It can be very valuable to receive information when something is happening or will probably happen at your planned destination before departure or during your travel to the destination. This is often called “pre-travel,” “pre-trip,” or “en route” alerts.
For example, knowing before departure that a tropical storm will occur, that a curfew has been ordered due to growing civil unrest, or that a disease outbreak is happening at the destination will enable the traveler to reschedule the trip to avoid the risk entirely. Similarly, if there are terrorist attacks at the destination while the traveler is en route to the destination, the itinerary can be changed on the fly to avoid lockdowns and other temporary restrictions due to the attack.
High-risk pre-travel and en route alerts should be sent both to the traveler and to management (e.g., the security manager or travel manager).
Informing about country risk and related travel information
Providing country risk and related travel information to the traveler is a valuable educational tool similar to e-learning.
If it is easy to access and read information about a country, it will enable the traveler to read up on common risks and how to behave in a country to reduce the risk of an incident. Educating the traveler is one of the best tools to avoid incidents.
A common mistake within travel risk management is not understanding the difference between country risk information provided to a security manager and generic country risk information given to an ordinary employee who is traveling. The information to the traveler should include more than just security risks.
Good country risk information also includes environmental risks, medical risks, major legal and cultural differences compared to other countries, and how to behave in that country to minimize the risk of an incident. The information should also be shorter, more generic, and assume less knowledge of the reader than, for example, that provided to a security manager.
Risk intelligence providers commonly provide extensive and detailed risk information on each country, with the target audience being security managers, travel managers, or other roles that are typically part of a travel risk management group.
For a traveler, the level of information given to a security manager is too detailed and too extensive. A traveler needs a very condensed and quick read about the major risks and how to avoid them. If the information is too long, the ordinary traveler will not find the time to read the information and, even if they do read it, will not remember the information.
The country risk information should be so condensed that a traveler has time to read it in the passport line at the airport and should not require any previous knowledge about the situation or country.
Example: Fire in Ghana
- Alert to Security Manager (Web Portal)
- Alert to Traveler (Mobile App)
Additional prebooked travel services
There are many travel services that can be added when planning travel to reduce the risk of incidents. One of the most common and effective services is booking secure ground transportation using known safe suppliers. For example, a simple “meet-and-greet” at the airport will allow the traveler to avoid the risk of getting into an unknown taxi with an unknown driver or ending up in a high-risk area when using public transportation.
A secure meet-and-greet service will remove not only the risk of robbery or kidnapping in that situation, but also the risk of lesser incidents such as scams (e.g., being overcharged for taxi fare).
Download the e-book here
A tutorial on Travel Risk Management.
Comprehensive managed solutions often include a proactive process for when an incident occurs.
The assistance center will proactively reach out to the employees in the affected area of a major incident to check if they are OK or need assistance. By using employee location information, the assistance center can compare all employees’ locations with affected areas to find out which employees they need to contact.
The proactive service also includes contacting employees planning to go to or on their way to the affected area. This is why it is important that a comprehensive solution automatically receive copies of all planned travel. Real-time location solutions such as mobile phone location provide detailed location data for finding out who is in the affected area, but real-time location data can’t look into the future.
Travel booking, on the other hand, will provide this insight into the future travel plans of the employee. Therefore, the best comprehensive solutions use a combination of real location systems (such as mobile phone location) and travel booking tracking for planned or ongoing travel.
Traveler alerts at the location
When a traveler is visiting a location for work, it is often difficult to understand what is going on locally from a risk perspective due to differences in language and culture. During work-related travel, the traveler frequently lives in a bubble, seeing only the airport, taxis, the hotel, and the workplace they are visiting. This means that if an incident happens, all travelers at the location need to receive information about the incident in a language they can understand.
To address this, comprehensive solutions often include a traveler alert functionality that pushes relevant information to the traveler based on their location. This is usually generic security and medical alerts about incidents in real time, but it is also common to include other types of relevant travel information, such as major traffic disturbances.
Implementing a travel risk management program requires multiple roles and multiple stakeholders from several parts of the organization. In this section, we will describe the usual stakeholders and their roles.
The person responsible for a TRM program is often the security manager. Top management typically views travel risk management as a security task and therefore places the security manager as the owner of a TRM program.
The security manager’s role encompasses many things, and travel risk is just a small part of it. This can be a problem when creating or maintaining a TRM program, as security is often viewed as a non-revenue-driving cost and is thus frequently under-financed. For commercial organizations, a more suitable security perspective would be to view TRM as securing revenue and profit, like business continuity management.
Large organizations often have internal travel managers, even if they are using external travel management companies. If there is an internal travel manager, he or she is most likely deeply involved in the travel risk management program since it is a crucial component of managing employee trips.
Smaller organizations usually do not prioritize resources for a dedicated travel manager, and in such cases, the common solution is that all travel management work is outsourced entirely to an external travel management company. Thus, a TRM program for smaller organizations seldom includes a travel role.
Travel risk management to fulfill a duty of care should be seen as part of employer compliance regulation, which makes HR (Human Resources) a crucial role. HR is most often involved during the integration and design phase of a TRM program or when a major incident happens.
Travel management plays a central role in travel risk management. Travel management’s primary purpose is to assist employees in booking trips and is usually implemented using one or several external travel management companies (TMCs) or through a corporate travel department (CTD) within the organization.
One of the most common practices for building a solid travel risk management program is setting a policy stating that all employees should use a designated TMC or CTD. With a designated TMC or CTD, a TRM platform can automatically receive copies of all bookings. Even if there is no integrated TRM platform, it is still possible to retrieve copies of bookings by manually contacting the TMC or CTD.
TMCs and CTDs can also assist in the pre-travel authorization process and implement approval checkpoints and travel restrictions on behalf of the organization. (See the section “Pre-travel authorization” above for more information.)
Having a designated TMC or CTD in the travel policy is an important ground rule for TRM. However, even with a designated TMC or CTD, many bookings will be made by other means, which creates a problem if the TRM program relies entirely on employees booking their trips using the TMC or CTD.
The problem of booking trips via other platforms can be mitigated, and the travel policy still adhered to, by allowing the employee to forward the booking to the TMC or CTD, or even directly to the TRM system.
The real issue occurs when the employee books a trip on some other platform without forwarding the information, thereby breaching the policy.
- The employee is not aware of the policy or finds cheaper tickets somewhere else.
- The employee wants to circumvent the travel policy with the purpose of receiving personal loyalty points with an airline or hotel chain.
- Someone outside the organization books the trip, such as a partner or a supplier to the organization.
- The employee travels using their own transportation, such as a personal car.
- The employee buys tickets locally at the departure site, such as a train station or airport.
This is called “out-of-policy bookings” and has been reported in some cases to be as high as 68% of the total bookings for the organization’s employees.
Another issue when using the designated TMC or CTD in a TRM solution is that the data that comes from the travel database often includes errors such as misspellings, missing data, or group bookings with only names. This causes problems during an incident because there might not be enough data in the travel database to identify the employees or their contact information. You can read more about this under the section “Bad travel booking data.”
The result is that even though the TRM or CTD has a crucial role and must be included in a comprehensive TRM solution, the TRM solution cannot exclusively rely on the data coming from the travel booking and must be complemented with other data and solutions, such as mobile tracking (this is described in more detail in the section “Mobile phone locator”).
Download the e-book here
A tutorial on Travel Risk Management.
Medical assistance provider
A medical assistance provider is a crucial supplier in a travel risk management program since health-related issues are the second most common type of incident for work-related travel.
If you have medical insurance coverage for your employees when they are abroad, you most likely have a medical assistance provider included in that insurance policy for employees to contact when they need medical assistance during travel.
The issue with only relying on the medical assistance provider in your insurance is that they are tied to the insurance policy, which means you might not get any assistance for incidents, medical or non-medical, that are not covered by the insurance policy.
In fact, medical assistance providers frequently try to minimize costs for the insurance companies in their agreements. Medical assistance companies use cost savings as a selling point in their marketing to the insurance companies. This is why you need more than just insurance to fulfill your duty of care for your employees, and you cannot solely rely on the medical assistance provider bundled with the insurance.
When implementing a managed TRM solution with assistance, the assistance provider must be able to handle both medical and non-medical incidents outside the limitations set by the insurance policies.
From the employer’s perspective, it is important to provide only one assistance number for employees to call in all types of emergencies. One cannot expect an employee in a stressful situation abroad to be able to sort out which assistance provider to call.
The most common solution here is to make the medical assistance provider the first point of contact for all types of emergencies, and then the medical assistance provider will bring in other suppliers if needed, such as security assistance.
Another solution is to have the assistance provider that acts as the first point of contact, such as a security assistance provider, evaluate the call and connect the employee to the medical assistance provider for medical incidents. (Please see the section “Role relationships between emergency assistance providers, employers, employees, and travel insurance” for illustrations of different medical assistance setups.)
If the medical assistance provider is the first point of contact, the organization needs to have a direct agreement with the assistance provider and cannot rely on any indirect agreement through insurance since the medical assistance provider will be given the task of handling incidents sometimes not covered by the insurance policy.
Optimally, the medical assistance provider should have an agreement with the insurance company to manage insurance claims directly with them, or be able to coordinate with another medical assistance provider that has an agreement with the insurance company.
The reason for this is that during an emergency, the medical assistance provider should always guarantee the medical expenses and then manage the damage claim with the insurance company afterward. Since medical emergencies need to be managed immediately, it would be impossible to start a long bureaucratic process with the insurance company to accept the cost every time somebody calls with the need to go to a hospital in a foreign country.
Therefore, it is best if the medical assistance provider is approved in advance by the insurance company and an agreement is set up between them to take care of the claims after the fact. A useful tip here is to use well-established medical assistance providers because they often already have agreements with insurance companies.
Security assistance provider
Most work travel incidents are travel disturbances or medical-related. However, there are both pre-travel processes and real-time incidents that are security related, and in these cases having a security assistance provider is a necessity for properly implemented managed TRM solutions.
A common pre-travel security service is, for example, booking secure ground transportation. In high-risk areas, it is important to be able to move from one point to another, such as from the airport to the hotel or from the hotel to the meeting, in a secure manner.
When a security-related incident happens, it is also important to have security services like evacuations or access to local security personnel on the ground for assisting on site.
Role relationships between emergency assistance providers, employers, employees, and travel insurance
For a managed solution with assistance, there exist four basic role layouts:
- The first point of contact is both a medical and security emergency assistance provider. (Figure 2.1)
- The first point of contact is a medical assistance provider with a security assistance provider as a sub-supplier. (Figure 2.2)
- The first point of contact is a security assistance provider with a medical assistance provider as a sub-supplier. (Figure 2.3)
- The first point of contact is a 24/7 travel assistance provider, internal or external, that coordinates the appropriate medical, security, or other assistance services. (Figure 2.4)
For reference, below (Figure 3) is a typical inadequate solution that does not fulfill your duty of care since it uses only insurance and the medical emergency assistance provider included in the insurance:
Download the e-book here
A tutorial on Travel Risk Management.
Although insurance companies ultimately only handle claims and cover costs, the insurance companies and their insurance policies are vital components of a TRM program and managing incidents.
By having an insurance company cover the costs and, more importantly, knowing the insurance company will cover the cost, the organization or employee can act swiftly. Otherwise, the cost question might stall the process or create uncertainty about how to manage an incident. For example, when an employee needs to seek medical care abroad, in the worst case, the employee might need to temporarily cover large expenses out of pocket, which they might not be able to pay.
A common service provided by emergency medical assistance is to guarantee payment to hospitals abroad for expensive emergency care. That is why the CDC (Centers for Disease Control and Prevention) recommends selecting travel insurance that makes payments directly to the hospitals.
To complicate things further, the structure of insurance for work-related travel varies widely between countries and even between insurance companies within a country.
For example, in Europe, it is common to need extra travel insurance to get medical care for employees abroad since domestic medical care is usually covered by the state, while in the U.S., some health insurances might, by default, include medical care abroad. On the other hand, European travel insurances usually include additional coverage such as lost luggage.
A common mistake that many organizations make today is not updating the travel-related insurance when the organization grows. For example, travel insurance is often tied to the country of origin and the number of employees. When an organization expands with more employees or opens an office in a new country, the existing travel insurance often does not cover those employees.
The recommendation is therefore to contact your insurance broker, or get an insurance broker if you don’t have one. Describe the level of insurance protection you want, where you have employees, how many you have, their travel and work patterns, and how the insurance should work with the TRM program. Then let your insurance broker do the heavy lifting by figuring out what type of insurance you need and from which insurance companies.
The complexity of insurance policies creates a high risk of your organization being underinsured in many situations, and it is important to understand the exemptions in the policies. For example, insurance might not cover pre-existing medical conditions that were known before travel, accidents during extreme sports, bleisure travel (mixing work travel with leisure travel), or non-covered high-risk countries.
The employment form of your employees is also a factor to consider. For example, some insurance policies include consultants while others exclude them. If the consultant does not have their own insurance to cover their work-related travel, you might end up in a legal battle over who should carry the cost. If you have consultants in your organization, either your insurance needs to cover your consultants or you need to have checkpoints to ensure the consultant has their own TRM program or travel insurance that is compatible with your TRM program.
Travel insurance policies are commonly sold in packages per trip, per employee, or for the entire organization. It is my strongest recommendation to select travel insurance that covers the entire organization all the time. It is easy to miss buying travel insurance before employees depart on a trip abroad, or to miss that the insurance only covers select employees.
The primary goal of the insurance setup from a TRM perspective is to make sure that incident processes work efficiently. It is important that cost coverage and payment setups be in place, as lack of such setups could delay, block, or otherwise be detrimental to the incident processes in the TRM program.
The recommendation here is to get help from an insurance broker. Inform the broker of what your entire organization looks like and how you plan to design your TRM program, and ask them if there are any insurance gaps that need to be covered with additional insurance.
Sometimes the terms “risk” and “threat” are used interchangeably, even though they are two different things. A threat is something that might become a risk if the employee is exposed to the threat. For example, some areas in Mexico are known for the high threat of being kidnapped, but if no employee ever visits these areas, then there is no risk for the organization from that threat.
Kidnap and ransom insurance
“Kidnap and ransom” is a special type of insurance that is seldom included in travel insurance and needs to be purchased separately.
Kidnap and ransom insurance can be crucial for large organizations operating in countries with high risk of kidnapping. In order to be valid, kidnap and ransom insurance must be kept classified from the employees so that the existence of the policy does not entice kidnapping. It is also important to note that in some countries, kidnap and ransom insurance is not legal; therefore, it might not be possible to purchase such insurance.
Threat intelligence provider
A threat intelligence provider, also called a “risk intelligence provider”, is needed to understand the risk in travel risk management.
The threat intelligence provider makes frequently updated threat assessments of countries and regions. Most providers also offer a real-time 24/7 alert service for time-critical threats. Some of these providers can correlate the organization’s risk exposure and thereby provide the actual risk, such as correlation with facility locations, employee locations, or special types of operations within the organization (e.g., maritime activities). The threat intelligence provider can be purchased as a standalone provider or, in many cases, as an integrated service with other security services or even integrated with the TRM solution.
The threat intelligence provider is a crucial component of the risk assessments that determine which countries or areas employees may travel to and what security preparations need to be done before departure. The 24/7 real-time alert service is also critical for proactive assistance in case a threat develops. If a traveler is in the area or plans to go to the area, then it is important that they receive these real-time alerts to act quickly to mitigate the threat.
Download the e-book here
A tutorial on Travel Risk Management.
The organization’s management has the most important role of all in a TRM program since a TRM program is only as successful as the commitment of the management. The ISO 31030 framework puts “Leadership and Commitment” in the center of the framework connected to everything else since all other work and results depend on these two factors.
Failed implementations of TRM are mostly due to poor commitment from the management. One of the most common issues here is that management decides to implement a TRM program without allocating the required money or resources. This means TRM falls into the same business pit as most other types of security by being seen as a non-revenue-generating cost that should be minimized until the day something goes seriously wrong.
One should see the role of the management as that of the internal buyer; if the buyer (i.e., management) is not ready to pay for good quality, then it will not be possible to deliver good quality. If the TRM program is of poor quality, then the management will not fulfill their duty of care, and the organization might face financial and reputational damages. Such damage will ultimately be the responsibility of the management, caused by their unwillingness to provide proper protection for employees to save costs.
The tip is to focus on buy-in from the management by explaining that a good quality TRM program is required to fulfill the duty of care and that, to build such a program, TRM must be given its own financial budget and clearly marked allocated resource time.
When an incident occurs that affects traveling employees, several tasks need to be managed and coordinated internally within the organization. Different processes are started depending on the severity of the incident and the number of employees affected. If the incident is of very high severity and affects many employees, then the organization’s crisis team is often involved. If the incident only involves a few employees, which is typically the case for TRM, then the TRM response or assistance team usually handles the incident without any involvement from the crisis team.
The crisis team handles much more than just travel-related crises since employee travel is just one small aspect of crisis management work. However, if a major disaster occurs abroad, the crisis team may have the responsibility of locating all employees in the affected area, including travelers, to check if they are OK. This means that the crisis team will sometimes need to work closely with the TRM team and use the TRM solution.
When implementing and operating a TRM solution, many work tasks and processes need to be in place.
Leadership commitment and communication
The success of the TRM program is dependent on the top management’s commitment, and the top management should make it crystal clear that all travelers must follow the TRM program. The best way to achieve this is to set an organization-wide policy that all travelers must join the TRM program, and that refusing to join can result in travel being denied.
The top management must also allocate the necessary funding and resources for the implementation and operation of the TRM program. Otherwise, it will become merely a paper product for rubber stamping compliance. Since TRM is often seen as only a cost from the management’s perspective, it is a common problem that a TRM program is put in place without adding new resources.
The required added resources can be budgeted funds for outsourcing everything to a TRM supplier or adding employees to perform the work internally (or, in the best case, a combination of both). Adding a TRM program without adding resources results in the TRM program becoming minimized and often ends with a poorly functioning TRM program that does not fulfill the duty of care.
The rollout process is about establishing the TRM program with the employees. Employees need to know what number to call in case of emergency, where or how to find insurance policy numbers, which travel management company to use for booking business trips, installing mobile applications, taking e-learning courses, etc.
The rollout process is the key to getting a good adoption rate for a TRM program. A common cause of poor rollout is not having the full commitment of the top management.
The rollout process itself is part of the implementation phase in the ISO 31030 framework and contains many different tasks depending on how the TRM program has been designed and the tools selected. A typical rollout includes:
- Informing all the employees
- Establishing processes within and between travel management companies, assistance providers, crisis teams, organization management, etc.
- Installation of tools, such as mobile applications, integration of the TRM platform, etc.
- Education of employees
A poorly done rollout process is often the reason for a TRM program being poorly implemented.
For a comprehensive solution, the pre-travel processes are the most effective processes to implement in a high-quality TRM program. Pre-travel involves many different processes depending on the TRM program setup, but common processes are:
- Pre-travel authorization
- Booking processes using designated travel management companies
- Education and e-learning processes
- High-risk booking processes
These processes are explained in detail in an earlier section under “Pre-travel processes.”
If you are using an external emergency assistance provider, which is a common case, the assistance processes are tightly tied to the internal processes of that provider. Processes need to be established for efficient interaction between the emergency assistance provider, your own organization, and other sub-suppliers.
These can include the following processes:
- Proactive assistance reporting
- Reactive assistance reporting
- Assistance processes between medical assistance and security assistance if separate security and medical assistance providers are used.
Download the e-book here
A tutorial on Travel Risk Management.
Common Mistakes and Misunderstandings
The mistake of thinking travel insurance is enough
It is a common misconception that it is sufficient to only get travel insurance or to use existing insurance that includes work-related travel and provide the employee with the insurance policy details. If the organization only provides standard work-related travel insurance and nothing else, then it will not fulfill your duty of care, and the organization is exposed to legal and financial risks.
The main reason why standard work-related travel insurance is not enough is that insurances have limitations on what is covered, and employees and organizations have no insurance coverage or assistance processes in place for events outside these limitations. Risks that work-related travelers are often exposed to are commonly excluded in the insurance (for example, pre-existing medical conditions, evacuations due to security and health threats, kidnappings, personal threats, cyber security attacks, natural disasters, etc.).
Travel insurance focuses on medical coverage for medical emergencies, followed by travel disturbances, one of the most common types of incidents during work-related travel. Additionally, travel insurance usually only covers the employee during work-related tasks. The effect is that if an employee calls the emergency assistance provided by the insurance for events excluded in the insurance policy, the employee might not get any assistance at all, and if they do receive assistance, it will be the responsibility of the organization or employee to cover the costs in the end.
After the big Fukushima nuclear disaster in Japan, which is the second largest nuclear disaster in the history of mankind, many business travelers were afraid of the radiation risk and wanted to leave Japan as soon as possible by booking very expensive flight tickets. When the travelers were home, many organizations and employees were surprised to find out that their insurance did not cover the evacuation costs. If they covered anything at all, the insurance would only cover the evacuation trip home if a traveler had been afflicted with radiation poisoning, and not for the possible risk of radiation poisoning.
The misunderstanding that mobile phone location tracking is privacy-invasive
It is a common misunderstanding that mobile phone location tracking for a TRM solution must be privacy-invasive. There are solutions to guarantee the employees’ privacy and thus gain their trust. It is done by limiting the organization’s access to the location data to prevent any type of misuse.
Employees usually accept that the organization knows the details of their flight, train, or hotel booking, but are often more reluctant to share their mobile phone location. It is an understandable fear because real-time mobile phone location tracking can be misused by the organization to spy on the employee. It is therefore important to add privacy mechanisms to the mobile phone tracking solutions to guarantee the privacy of the employee.
TRM platforms today contain different types of privacy filters to protect employee privacy. Some examples are:
- Location data can be obfuscated to a grid, like 10×10 km.
- Employees can set an obfuscation area of the location or turn the location off.
- It is also possible to protect privacy through an agreement setup by using an external emergency assistance provider that is the only party that can access the mobile location data.
Download the e-book here
A tutorial on Travel Risk Management.
The culture in the organization and strong personal opinions are common obstacles to a TRM program. Below are some of the more common cultural problems.
Many work-related travelers are seasoned travelers that have traveled for many years and have been exposed to high-risk situations without any TRM program. These travelers may view themselves as daring explorers that are used to the risks, accept the risks, and have a history of managing everything by themselves. These experienced travelers might feel that following the TRM program is like having a babysitter and is unnecessary for them due to their experience.
Outside travel policy bookings
A crucial function of any good TRM program is that the TRM solution covers as much work-related travel as possible within the organization. This is mainly achieved by using designated travel management companies.
However, even when such a booking policy is set in place, many do not follow the policy and book using other means. Common reasons are finding a cheaper ticket online, booking on the fly, the traveler wants to select a specific airline to get loyalty points, travel management being unable to make the booking, the travel management company being slow or not having 24/7 service, or the employee simply being unaware of the policy.
Whatever the reason may be, outside travel policy booking is a big problem. The most common solutions for outside policy bookings are:
- Add a mobile location solution so if the employee books outside the designated travel management company, it will still be possible to locate the employee using the mobile phone.
- Have the TRM system read booking confirmation emails. The employee can forward a copy of the booking confirmation email to a designated email address. The TRM system will then automatically look through the booking text and add the booking into the TRM system as if it was booked by the designated travel management company. It is also possible to set up automatic filtering of all incoming emails, so if an email originates from an online booking agency, the TRM system will automatically add it to its travel booking database.
The most common technical problems in TRM solutions are:
- Bad travel booking data
- Mobile phone location tracking not working
- Incorrect or missing data on employees, such as name, phone number, email, etc.
The International Air Transport Association (IATA) 13 provides a standard called IATA Resolutions and Recommended Practices Directory. 14 The standard resolution 830d, which is binding for all IATA members, describes the requirement for the PNR data entry. When there are issues with bad travel booking data, it is commonly due to the travel management company violating IATA resolution 830d when entering the booking.
Bad travel booking data
Bad travel booking data is a common problem caused by the underlying computer systems. They are often very old legacy systems, and there are hardly any automated data checks on what is entered into the system.
Booking data is, therefore, usually of low quality and dependent on how meticulously the booking agent at the travel management company enters the booking data.
For example, booking systems may have free-text fields with no proper data checks where it is possible to mix names, emails, and phone numbers without any checks or verification processes on the data entered.
Group bookings are another issue that the underlying booking system is not properly built for.
Mobile phone location tracking not working
Mobile phone location tracking might sound simple, but it often stops working because it is very technically complex. The reason is that mobile location tracking operates in the background of the phone system, meaning the employee does not need to manually open the mobile application every time a TRM system needs a mobile location update.
The background functionality feature presents a long series of technical challenges because the manufacturers of mobile operating systems (Apple for iPhones and Google for Android phones) have implemented many ways to block or reduce background functionality. The primary reasons are preserving battery time, which is an important sales factor, as well as reducing cyber security risks and privacy risks.
To make it even more complicated, many big handset manufacturers create their own versions of the Android operating system and often make modifications to background functionality and location functionality.
With the rise of new data protection and privacy laws such as the GDPR in the EU, the legal work around implementing a TRM program has grown significantly.
It is important to note that all existing and emerging data protection and privacy laws still allow a comprehensive implementation of a TRM solution with all the bells and whistles. The issue is getting all the legal paperwork in order and implementing a TRM solution that is legally compliant and in line with the legal paperwork.
The most common legal issues are:
- Cross-border transfer of personal data. Data protection and privacy laws in the EU, Russia, and China, for example, set hard requirements on if and how personal data may be transferred outside a country or region. This requires both a technical solution to fulfill these requirements and legal agreements between the organization and the technical solution provider.
- Who owns and controls the personal data? It is important to establish who is the controller of the personal data or similar depending on local law. Once that is established, agreements must be entered with sub-suppliers of the TRM solution that describe who controls the employee data. Not only is this a legal compliance demand in many countries, but it is also important to have a clear legal responsibility in case of a data breach and to limit the secondary use of the data.
- Cyber security. The cyber security threat grows every day, and personal data such as employee locations, medical conditions, travel plans, etc., are high-risk data in a cyber security data leak. Proper legal documents need to be set in place with technical providers ensuring proper data protection measures are implemented for all systems collecting and storing personal data.
When establishing a TRM solution, there are many processes that need to be working smoothly.
As with all types of processes within modern organizations, many technical tools and solutions exist to support these processes. Below is a list of the most common ones used to manage and assist the processes required in a TRM implementation that fulfills your duty of care, such as a TRM program according to ISO 31030.
One popular technical tool is a travel tracker that collects travel bookings. This is usually a system that is integrated with the travel management company and automatically receives copies of all flight, hotel, train, boat, and taxi bookings. The travel tracker allows the people responsible for managing an incident to search bookings based on geographic areas or individuals.
The most valuable output from a travel tracker is the ability to see future travel bookings to manage the risk for employees planning to go to an area or en route to an area.
The major limitation of travel trackers is that they only display booked locations and not where employees are in the moment. For example, the tracker can show where an employee landed several days ago and where he or she plans to stay for the night, but the employee could be in a completely different city or even a different country than what the tracker shows. Therefore, travel trackers need to be complemented with other technical tools and solutions, such as mobile phone locators.
Mobile phone locator
A mobile phone locator provides the real-time location of the employee’s mobile phone. Compared to travel trackers, mobile phone locators provide up-to-date and often more detailed location information. The mobile phone locator solves the issue presented by travel trackers and fills the gap in the travel booking information, such as where a business meeting occurs or when an employee deviates from the planned booking due to travel disruption or changes in the travel plans on the go.
To protect the privacy of employees, several technical solutions exist, such as privacy filtering or obfuscation by limiting location tracking to grids instead of exact positions. This ensures that the location information cannot be misused by the employer to spy on the employee. Some organizations only allow an external assistance provider to have access to the mobile location data and thereby block any possible misuse by the employer.
During an incident, many people might be affected, and it would be too slow to communicate manually with each person one on one. Therefore, a mass communication tool is necessary to be able to communicate with all personnel, and not only travelers, in the affected area.
This functionality is similar to the mass communication functionality often found in business continuity and crisis management tools, and there is frequently an overlap between the systems. However, unless the business continuity and crisis management tool contains TRM functionality, it lacks the travel tracker information necessary for mass communication to function in a TRM context. That is the primary reason for the overlap that often exists between the systems.
Integrated TRM platform
Historically, the technical tools listed above were separate standalone platforms. As technology has matured, the most common solutions today for new installations are integrated travel risk management platforms with some or all of the tools described above in one platform. Several of these TRM platforms also have APIs to integrate with other technical systems, such as identity platforms for managing login credentials or HR platforms for employee personal data.
Related Programs, Functions, and Systems
Crisis management is activated when a major incident occurs that affects many employees or impacts the organization severely in some manner.
Depending on the type of crisis, sometimes TRM comes into play and is part of crisis management. For example, when a major disaster occurs at a facility, TRM has a crucial role in locating travelers that were visiting the facility at that time. TRM can also call upon crisis management for certain types of TRM incidents, such as kidnappings or travel-related incidents that become a public interest and affect the organization’s public relations.
Mass communication tools
This is a key component of a TRM solution because when many travelers are affected at the same time, a mass communication system is required, as it would take too long to reach out to each traveler individually.
It is therefore common for TRM systems to include or integrate with a mass communication tool that can be used for both travel and non-travel situations. Crisis management uses similar mass communication tools, and it can be valuable if the same tool is used for crisis management and TRM.
Business continuity management
Some organizations, like Gartner, place TRM as part of a business continuity management program, even though it is most often designed, implemented, and operated separately from business continuity. However, there is an obvious overlap here because the top management usually travels frequently, and any type of risk that could hinder the top management from operating normally can be considered part of the business continuity program.
Additionally, cyber security, which is today a primary topic in business continuity, has travel-related cyber security risks on its agenda (for example, how to secure devices and internet connections during work-related travel). A good business continuity program should include cyber security training for travelers and add cyber security requirements to the travel policy.
Download the e-book here
A tutorial on Travel Risk Management.
With the growth of remote workers, employee mobility is on the rise and is sometimes called “people mobility.”
As the mobility of employees and the work-from-home trend grow, the boundaries between work-related travel and people mobility become fuzzy. For example, if a tornado hits Florida in the U.S., an organization might have both a work-related traveler in the area and an employee working remotely in the same area. Should the employer help both employees or only the one that has been ordered to travel to the area? Exactly what is the employer’s responsibility for the employee that made their own decision to work remotely from that area?
People mobility and TRM therefore intersect, and many of the tools for mitigating the risks of people mobility are the same as the tools within TRM. Therefore, in a perfect world, TRM should be seen as part of all risks for all employees and not a standalone component for travel alone.
The Future of Travel Risk Management
The mobility trend, which got a real boost from the Covid-19 pandemic, erases the boundaries between work-related travel and working from a remote place. This will make the “travel” part of travel risk management redundant, and other types of organizational risk management will need to add a “travel” consideration since many employees, in fact, are traveling when working remotely.
One could say that travel risk management needs to be merged with organizational risk management into a new area called “people risk management.” So, the future of TRM is looking at risks related to people wherever they are. People risk management.
Another prediction is that we will see a growth of technical support systems with more automation and more integration into other IT systems.
No matter which way travel risk management develops over time, one trend is crystal clear: the world is becoming more global every day, and it is far from safe. This means the need for travel risk management will continue to grow in whatever form it will take or whatever it will be called in the future.
Summary Checklist for Fulfilling Your Duty of Care
TRM is a vast area, and if you want to make sure you have everything covered for your duty of care compliance, the ISO 31030 standard provides an extensive list. However, implementing a TRM program according to ISO 31030 is a daunting task, and the standard provides little guidance on what to prioritize.
Below is my personal checklist of what should be prioritized in order to make great strides on the journey to fulfill the organization’s duty of care. If you contact a TRM solutions supplier, they will be able to assist with several of these items.
- Get commitment from the management to implement a TRM program with budget and resource allocation.
- Make sure you have good travel insurances that have a wide coverage for all the odd situations that can occur during work-related travel.
- Set up an agreement with an emergency assistance supplier that can manage both medical and security incidents. Employees should have one phone number to call, no matter what type of emergency.
- Create a travel policy.
- Designate a travel management company that is mandatory for all employees to use.
- Set up a technical system for employee location, such as a travel tracker, mobile phone locator, or similar.
I wish you success on your journey to create or improve your duty of care for all the people in your organization.
Andreas Rodman, Co-founder, Safeture
Get your physical copy here
Order the e-book on Amazon today! Available in both English and German.