Overseas travel, particularly business travel, can be seen as glamorous by the uninitiated. In reality, it can be fraught with risk. For those climbing Mount Everest, risk is part of the experience, but for the average business traveler, danger should not be part of the trip.
It is clear that everybody has a different appetite and perception of risk. Equally, we all instinctively manage risk to some extent day in and day out to ensure nothing goes wrong in our daily lives. Business travel should be no different, both for the traveler and the company. For businesses not to manage risk would be remiss at best and potentially negligent at worst. While business travelers should expect their companies to undertake reasonable steps to ensure they are fully prepared and aware of the risks and how to mitigate them, the business itself should reasonably expect the traveler to heed the advice and corporate travel safety training provided.
Reconsidering Corporate Travel Safety and Security
One could be forgiven for thinking the world is always a dark and dangerous place. For many years, we’ve been increasingly fed on a diet of 24-hour news coverage from channels such as CNN, N24, RT, BBC, Al-Jazeera, and so forth. Many corporate security executives and their operations’ teams are professionally tuned into these news sources. This is alongside advice from governmental bodies coupled with information from travel security and intelligence providers. In the digital age, more contemporary news feeds like those found via social media sites such as Twitter, LinkedIn, and Facebook are often the first to break emerging stories surrounding incidents. This constant coverage, by and large, reinforces to us that only bad things happen. So it is fair to ask how often we see a positive news story.
Recent incidents have shown to us that it’s not only the parts of the world with weak law and order, security, or governance where our employees can be put at risk. We’ve seen these recent incidents happening in many major European cities, such as Berlin, London, Paris, Madrid, Brussels, and Istanbul, inevitably bringing death and destruction with them. The focus of security executives has, therefore, had to evolve to include cities previously considered “safe.”
Incidents have also continued to happen in parts of the world long considered challenging environments, parts of the world where businesses—particularly those with a retail dimension—have sourcing, manufacturing, or supply-chain operations. While these major incidents, wherever they may occur, grab the headlines and rightly a significant amount of our collective professional attention, we must not forget the more common incidents that regularly impact our colleagues.
The frequency of incidents such as road traffic accidents, petty crime, sexual harassment, and illness or injury requiring medical attention is many times greater than those that are the focus of news reporting, as is the probability of travelers encountering such circumstances. How many people travel with prescribed medicines, and how many of those have given adequate consideration to the legality of that medicine in their destination countries or their ability while there to acquire the necessary healthcare or prescription refills? The medication point is particularly important. While perfectly legal in the traveler’s home country, it may be deemed illegal in the destination country, and harsh penalties can be brought to bear—turning the previously innocent business traveler into a drug trafficker as they cross the border.
How many employees rent a car in a foreign country immediately after getting off a long-haul flight? Is the person competent to drive in that country? Are they well rested? Did they drink alcohol while on the flight?
This post is for general awareness and information purposes and should not be relied upon as legal advice. It is beyond the scope of this article to go into detail on every country’s legislative framework or to serve as a comprehensive review of every applicable law.
Duty of Care
The broad term used to describe this corporate responsibility is “duty of care,” and it is equally applicable to the health, safety, security, and well-being of employees, contractors, and other people the organization has responsibilities toward. Across a number of countries, both the corporate entity (and in some cases, the parent company) and individuals within the company can be held accountable by the courts for duty-of-care failures.
Any corporate entity is required to robustly demonstrate that it has adequately discharged its duty of care across the full range of incidents from the headline grabbing to the more common. The focus of this duty is often restricted to those employees engaged in business travel. It should not be forgotten, however, that duty of care extends also to local employees, expatriates, and potentially even to their dependents and those residing with them.
All this is set against a volatile, uncertain, complex, and ambiguous world, while facing a challenging backdrop of inconsistent global standards, limited guidance for employers, and an increasingly mobile workforce. As business becomes ever more global and people more mobile, companies are regularly sending employees to far-off destinations with little or no notice to deliver on strategically important objectives. But it must be remembered that none of these extenuating factors diminish the responsibility of the company. The potential implications of any type of incident occurring where the duty of care is not robustly considered and fulfilled include not only lawsuits and resultant damage to brand and reputation, but also the potential to impact the retention of existing and attraction of future employees, students, or brand ambassadors.
Executives will no doubt in the future be called to account for their actions or lack thereof in relation to delivering on the reasonable expectations of employees, shareholders, customers, and relevant legal and regulatory bodies for breaches relating to corporate travel safety and risk management. Duty of care is not simply a moral or an ethical consideration or one that should be a matter of course for any “employer of choice”; it is a legal requirement in many European countries. Many of those countries where it is currently not a legal requirement are now reviewing the enactment of such laws.
The duty of care and the corporation’s obligation (and that of executives) to organize itself in an appropriate manner is increasingly being used by shareholders as a basis for legal action when a business has, in the investors belief, not adequately discharged its duty of care. Those investors are seeking legal redress to recoup losses related to negative share-price impact.
It is not beyond the realm of possibility that this could be brought to bear in relation to business travel or other security-related incidents impacted by foreseeable risks—surrounding for example launch events or expat assignments, especially where the impacted person is or could be a VIP, brand ambassador, or key member of the executive team. This is particularly crucial if a company has comprehensively failed in its duty of care or there is a significantly negative share-price impact.
Tone from the Top
A notable challenge (as with any topic within a large corporation) is the “tone” from the top, without which there will be little traction. To ensure the correct level of focus, there is a requirement to have strong leadership commitment from senior management up to and including the CEO. This is particularly relevant given that corporate travel safety management and duty of care do not sit in an isolated silo. Rather, they span multiple departments within an organization and require cross-functional work. Signposting this commitment will significantly support the integration with day-to-day business processes and the focus of relevant stakeholder parties. An unambiguous tone from the top will also go some way to ensuring the requisite level of budget and resource, which is imperative to success.
There are key aspects that will support a corporation in demonstrating it is taking its duty of care seriously. These include, but are not limited to, vision, strategy, policy, clearly defined roles and responsibilities, threat identification, risk assessment, prevention and mitigation strategies, incident and crisis leadership, communications processes, and decision-making authority. The corporate travel safety management vision, strategy, and policy must support the company’s strategic direction, enhancing its ability to achieve its overall objectives. After all, security has the fundamental aim of facilitating the business wherever its risk appetite may take it. The travel risk management strategy in common with the organization’s enterprise security risk management activities should be baked into the business’s overall risk management process.
Turning to the travel security policy, this should provide a framework for the security objectives surrounding travel, and it is the organization’s opportunity to set out a statement of intent providing the formal outline of what the organisation will do to keep the people it has a duty of care over safe. It is the organization’s chance to clearly state that people should not place themselves in imminent danger nor will they be expected to do so. Such a policy should also address the interactions with other relevant policies within the organization, for example, incident management or insurance.
Such a policy cannot be written in isolation and must be written in consultation with all relevant stakeholders, particularly those whose responsibilities have ramifications on travel. Furthermore, a key aspect of the policy should be the unambiguous assignment of responsibility and authority surrounding travel risk management. Naturally, the policy should be a living document subject to periodic review at a frequency defined by the organization, for example taking into account changes in legislation, debriefings post-incident, or changes in the organisation’s risk profile.
Companies such as Uber, Airbnb, and the future similar examples not yet conceived further illustrate the requirement for periodic review of policy. Your employees are using them in their private lives and for business. Any policy needs to reflect that reality, whether accepting or restricting their usage. It is also illustrated by the recent travel moratorium implemented by the United States. Whether you agree or disagree with it, your policy has to take it into account. The policy and its intent should also be communicated to all relevant parties, respecting the culture both of the organization and of the individual countries where it is to be implemented.
Corporate travel safety training should be a key component of any travel risk management program. Once adequate training is provided (and documented), any traveler can carry out threat identification as he or she identifies danger. Proactively empowering travelers by ensuring that they are well prepared and possess greater levels of awareness is an effective way of evidencing the duty-of-care processes. Training will need to cover travelers in general and will also encompass different levels according to the threats and risks identified. Every traveler will need to know the basics, including the scope of the travel security and risk management provision that is in place and how to access it. At the basic level, one example is the knowledge of the telephone number of the retained travel security and medical assistance provider.
Employees should be aware of their responsibilities in the effective management of travel security and the potential impact of their work and their actions. The implications of non-compliance both for the individual and for the organization should be clearly articulated.
A comprehensive assessment of the training needs should be undertaken. For example, not all travelers will require hostile environment awareness training (HEAT) or security awareness in a fragile environment (SAFE) training courses. There will also need to be consideration of any specific nuances relevant to the culture of the destination that may need to form part of the training. Training should not be restricted to those traveling but should also include those people who book travel or organize events.
Having the correct processes in place for both threat identification and for the risk assessment of travel are the fundamental starting points for travel risk management. Profiling both the traveler and the destination is an important factor in the process. There are multiple components that can increase (or decrease) risks for travel to specific locations, including experience of the traveler, age, gender, sexuality, nationality, and culture (of the destination and of the traveler).
These processes should be used whether the travel is to low-, medium-, or high-risk destinations. For travel to higher-risk locations, the process should include a justification around the approval given for travel and who made the decision. It is also necessary to consider any existing medical conditions and the required clinical or medicinal treatment. Threat identification and dynamic risk assessment must be an ongoing process. It is not something that can be done once and then disregarded. Threats and risks will change, as will business needs. Adequately addressing the duty of care will only be achieved if such processes are documented sufficiently. The baseline minimum expectations would need to include providing evidence as to the policy, the criteria, the mitigation measures against which the decision was made to permit travel, and who made the decision.
Where risk or threats are identified during travel, processes should be activated that alert and advise the traveler accordingly. It’s obviously advantageous that these processes are rehearsed and have adequate internal and external resources applied to them.
Prevention and mitigation strategies should be prioritized, first aiming to eliminate the risk entirely. Secondly, where the risk cannot be eliminated, the resulting aim would be to minimize the risk. And where neither is possible, put in place strategies to control the risk. Any such strategies will have to take account of travel destination, travel route, travel methods, travel itinerary, and the traveler profile, thus underlining the dynamic nature of the process, as many of those aspects can be (and often are) subject to change. As would be expected, any mitigation or prevention measures have to be proportionate to the risks faced and the corporate risk appetite.
Incident management training should occur regularly with clear response plans that identify the responsibility and authority levels of those involved alongside escalation protocols. Where the threat and risk levels are deemed sufficiently high, the protocols should include repatriation plans covering all people the organization has responsibilities for and who can initiate such plans. It is imperative that a communications professional be included both in incident management (IM) teams and any subsequent crisis leadership. The IM team must be fully aware of the organization’s capacity to respond to any incident including any dedicated resources, local support, and external providers.
A key challenge relating to incident management is identifying where travelers are at any given time. Not knowing exactly where impacted persons are when an incident takes place can lead to unnecessary workload, missed opportunities, and increased risk. Providing a level of traveler tracking either by phone-based app or using standalone GPS devices is one solution. However, without the correct processes, resources, and training in place, this will provide a false level of comfort.
There is clearly no reward without risk. With the right preparation, planning, training, and risk mitigation, the rewards of business travel for both the organization and individual can be huge. Happy travels!
This article originally appeared in LP Magazine Europe in 2017.