In the corporate sector, safety and security risk management (i.e., calculation, prioritization, and mitigation) generally revolves around static assets. Besides millions who travel each year for pleasure, it must be remembered that a large number of employees from different organizations travel locally and internationally for business. While doing that they are exposed to a range of security, safety, and health-related risks, which if are not foreseen, later on, may result in business losses and legal liabilities.
As the ‘risk reality’ of business travel is quite different, the organizations and the travellers will continue to face new and ever-evolving challenges; and to overcome these, enhanced strategies for travel resilience are required, which essentially should go beyond just purchasing the travel insurance.
While handling this perilous issue, organizations should take a wide-ranging and proactive approach towards protecting their business travellers. The foremost step is to know the industrial guidelines, standards, and regulations for Travel Risk Management (TRM); and then simultaneously ensuring strict compliance.
In the succeeding paragraphs, we will be going through the framework of TRM, while discussing different segments, and advising essential plug-ins.
Policies and Procedures
In general, organizations and their different departments spell out their purpose, priorities, and resolve through their well-defined policies and procedures. The Security & Safety departments of an organization should also develop, implement, maintain, and mature policies and procedures for TRM, which should address all the key areas of this particular operation. The policies should be evolved in a manner that they cover Pre-During-Post travel activities of the traveller employee/s in detail.
While preparing the first draft of Policies and Procedures, industrial best practices, standards, and guidelines should be incorporated and consulted in-depth, as policies would act as a foundation of all activities related to these operations.
As briefly mentioned above, there are legal responsibilities and necessities to be implemented in a TRM program. These legal obligations are seen through a prism that whether the organization has done everything which is “reasonably practicable” to protect the health, safety, and security of the employees in the context of TRM. Some of the specific elements which encompass legal obligations are:
Duty of Care is a powerful principle determining corporate responsibilities towards its employees, and it is assimilated within the policies and procedures; legislation is enacted to enforce the duty of care concept. Duty of care applies even to the shortest possible travel.
Duty of Disclose mainly focuses on an organization’s responsibility and legal obligations to monitor and disclose potential risks to its employees, and specifically to its business travellers. For example, if a major demonstration is scheduled for Karachi, and afterward an employee books a business trip, without knowing it, and later on due to protest and related traffic issues misses the scheduled meetings, despite that the employee faced no personal threat, the company just spent thousands of Rupees for nothing. Several weeks later the company may have to spend thousands more to send them back to complete the unfinished task.
In Standard of Care, an organization must display that it was not “reasonably practicable” to do more, or that management did take every step to implement “reasonable precautions and due diligence” to meet its standard of care obligations for its traveling employees.
The basic purpose of TRM training is to develop employees’ skills and knowledge in advance so that they perform their roles effectively and efficiently during their routine business travel.
A traveller’s training for a trip at least covers basic pre-travel knowledge, and essential skills required during any travel. In addition, an organization may also choose to offer a wide variety of enhanced training sessions to their staff traveling to high-risk destinations, like security awareness, surveillance detection, defensive/evasive driving, first-aid, IT security, emergency management, etc. Most importantly, the training should be tailored in a way that it tackles all those specific risky areas that may be encountered by a traveller.
It is equally vital that the Emergency Management Team (EMT) at the vendor’s base/headquarters is correspondingly trained to provide all kinds of required support to a traveller when asked. The step-by-step procedures/drills/simulation/table top exercises should be evolved, planned, and rehearsed to handle any emergency during the trip. These training activities should involve maximum staff participation in the operation. There is no compulsion that these pieces of training should be in the shape of formal presentation, as these can be done over the phone, face-to-face, in a periodic classroom or online sessions; as the only substantial thing to monitor is to see the quality and effectiveness of these training.
Travel Risk Management
– The Process
In the succeeding paragraphs, we will dissect and further discuss each phase of TRM separately but in detail.
Phase 1 – Pre-Travel Advice (PTA)
Initiating the Travel Requisition (which may have different names in different setups) by the traveller is normally the initial step towards any business travel. The travel requisition is signed and authorized by a management staff who is normally higher in a hierarchy; and once authorized, it is distributed among all concerned departments including security, for further actions related to that specific travel. Authorizing the business travel has many pre-defined objectives and processes, but in actuality, it also kicks off the TRM process.
The security team will start its work by formalizing the PTA for whole travel; while establishing the context, assets (in this case the asset is a traveling employee), threat & risk identification (threats/risks are mostly terrorism, crime, IT, and medical-related), vulnerability assessment, risk assessment, risk analysis & evaluation (matrix), risk prioritization, and finally risk treatment. Credible data acquisition is the backbone of travel risk assessment and related mapping. This data/information can be acquired from international organizations like CRG, SOS, Falck etc.
As a first step, after receiving travel requisition, the security team prepares its Safety and Security related PTA, and for that security team at least works on the following to complete its advice:
In-depth information and analysis about the country, city, hotel, available medical facilities/air & ground ambulances, local emergency services, routes, vendors, natural disasters, terrorism, crime, cultural awareness (do’s & don’t), weather, food/hygiene, pandemics, airports/airlines (itineraries), IT, communication, the quality of response and effectiveness of Law Enforcement Agencies (LEAs) etc. The traveller should be briefed well about maps and traffic conditions of the visiting cities.
The security team may provide PTA in the shape of a presentation (which takes around 1-2 hours), briefing, skype meeting, handout, etc., and is given to the traveller much ahead of actual travel, most suitably two to three weeks in advance. Furthermore, any other vital information or advice that one wants to communicate to travel becomes part of PTA. A predefined checklist may also be given, and to be filled by the traveller to provide a wide variety of information, which may help security in many shapes, including any existing medical conditions of the traveller, if any.
After PTA, and becoming fully aware of the services required, the security team will ensure the quality of the services from the vendors; and for this purpose, the security team is expected to ask for credible processes or certifications from the vendor, like ISO 9001:2015, PAS 3001:2016, and ISO:31030, etc. The driver/CP team plays a critical part in any road travel. Valid certification of that team may be asked from the vendor to ensure quality in the operation.
Phase 2 – Journey Management Plan (JMP)
A JMP is a combination of specific instructions, guidelines and visit programs designed to make the trips safe, more efficient and organized. As a general rule, road and air journeys, when taken in succession and are expected to last more than 90 minutes, should have a JMP; and mostly JMP covers travellers’ from the host airport and back.
Although PTA briefing covers threats, risks, vulnerabilities and mitigations; JMP will further help in easing the trip from unpleasant surprises. The hallmark of JMP is a comprehensive day-by-day schedule for the whole trip, and that includes but is not limited to, details related to flight, vehicles, driver-CP (names & pictures), meeting places/point of contact (POC), safe/ alternate routes and communication.
At this point in time, while a primary organization is working on PTA for the traveller, the security vendor (after receiving the traveller’s program), would be working on a recce of the meeting places, hotels, primary/alternate route, and training of the involved team. The initial short briefing (max. 3 to 4 min) on arrival by the CP team will also be formalized.
An effective Incident Management Team (IMT), at the vendor’s place, is a backbone for any TRM operation. The team operates a 24/7 control room, which works under the supervision of a security vendor in the visiting country. While continuously evaluating the progress, the IMT remains operational till the conclusion of the trip. The IMT should have the mandate to take necessary decisions, whenever required. The most central task of the IMT is to immediately respond to any popped-up emergency, and provide advice and help to the team which is present in the field. Availability of the exact location (live) of the team has great advantages, which can be achieved through many computer-related applications available off the shelf. The team also monitors the quality of the performances of different teams working on the ground. The team should have all the required contact details and should share them with others.
Phase 3 – Post Travel (Evaluation)
This phase relates to finalizing the travel. It is quite significant to have a comprehensive off-boarding process for travelling staff for the whole trip, especially providing feedback about the quality of different services, shortcomings observed, and any advice for future trips is always sought. This activity can be in the shape of an off-boarding interview or in a written form or both. A checklist can also be provided to keep the focus of the traveller only on the relevant feedback. Similarly, besides the traveller, each team of the vendor may also be asked to give inclusive feedback on the trip. The quality of the services provided by the vendors should also be discussed in depth.
The feedback of different teams will enable the security & safety team to improve upon their present TRM procedures (SOPs) and would be able to enhance quality, and add further necessary measures in the future. But most importantly, the whole process should not become so complicated that it becomes impossible to implement in letter and spirit; and travelling staff, security team or vendor should start looking for the shortcuts.
Despite that the news coverage of terror-related incidents seems to be on increase, the likelihood of a traveller being caught in such an event is still thankfully very slim. It’s far more likely that a business traveller may get sick, be involved in a road traffic accident, or be affected by a pandemic situation.
The objective of any risk management program, and especially of TRM, is to mitigate risk to an acceptable level consistent with business objectives, Governmental regulations, and the prevailing standard of care for an industry. A successful program will not only reduce the frequency and severity of incidents but also enable better management of the costs associated with response, recovery, lost productivity, and liability.