ISO 31030:2021, released on 15 January 2021, provides guidelines for organisations developing travel risk management (TRM) programmes to ensure the safety and security of their employees while travelling for work.
Employers have a legal obligation, often referred to as a ‘duty of care,’ to take reasonable steps to ensure the safety and well-being of their employees while they are travelling for work-related purposes. This duty extends to all aspects of travel, including transport, accommodation, and activity during the trip. Numerous legal cases have established employer liability in instances where they failed to discharge this duty.
As a result, employers must establish a policy and related procedures which take reasonable steps to educate, inform and support their employees when conducting travel. This includes:
Employers must comply with relevant laws, regulations, and industry standards related to travel safety and risk management. This includes complying with immigration laws, health and safety regulations, and data protection requirements, among others.
Adopting the ISO31030 guidance provides a number of benefits to employers and employees and aligns with several business interests.
The immediate aim of a constructive travel risk management programme is to keep the employee safe - with the related and equally important aim of increasing the likelihood of achieving the trip’s objectives without disruption or additional cost, and reducing the employer’s exposure to legal challenge.
The guidance in ISO31030 helps companies fulfil their moral obligations to their staff: when asking them to travel somewhere on the business’s behalf, it is reasonable that the business provides staff with the means to do so safely. Moreover, employers are in a better position than individual employees to understand and evaluate risks, particularly over time: helping to manage risks while travelling ought to be as fundamental as providing them with a laptop.
A mature TRM programme can help demonstrate a company’s ‘values,’ showing they fulfil their obligations to their people. By considering each employee’s personal profile, for example by highlighting to them different legal or cultural norms which might pose a risk to them, it can help establish practical examples of DEI policy in action.
Additionally, if properly integrated with other core policies, such as travel and insurance, the programme can help companies avoid unnecessary costs: if TRM policy explains corporate-level insurance coverage or access to medical and security assistance, regional or local offices can avoid duplication of effort and additional costs.
There are also very clear legal responsibilities for businesses. Numerous cases have established that an employer has a legal as well as moral duty to take reasonable steps to ensure the safety of employees on assignment: they could face litigation in the event of an incident affecting an employee, and a significant fine. This could include failure to properly prepare an employee, such as not warning them of potential health or safety threats; the failure to support mitigation ahead of travel; the failure to make provision for support on the ground; or the failure to provide support to other affected employees or stakeholders after an incident.
Moreover, the ISO31030 provides clear guidance on how to develop and implement a framework of policy, procedures and supporting resources: there is now no excuse for not having a robust travel risk management programme.
A TRM programme establishes policy guidance and procedures to be followed by employees. A comprehensive risk-based programme informs other related policies and procedures, aiding consistency and proportionality. For example, travel policies often specify ‘preferred’ or ‘must use’ vendors, such as an airline or a major hotel chain, usually on cost grounds. However, your TRM policy should review the suitability of accommodation or transport types in all destinations, identify exceptions, and outline the appropriate approvals process.
Similarly, some companies try to reduce data roaming costs by encouraging employees to make maximum use of public wifi. This could create unnecessary vulnerabilities to company or personal data, as well as leaving employees incommunicado and vulnerable when moving between hot-spots. Again, a robust TRM policy will identify exceptions where additional cost is justified.
When travelling, people often prioritise convenience or familiarity. For example, when looking for accommodation, employees might opt for so-called shared economy services such as Airbnb, without thinking about the potential safety implications: again, a risk-based policy covering all aspects of the trip ensures employees find the most suitable places to stay.
An insurance policy is an important component of your TRM programme: properly structured, it helps you manage the consequences, especially the financial impact, of disruption to your employees and business objectives. It does not in itself help you or your people understand threats or hazards, reduce the likelihood of them affecting your employees, or mitigate the non-financial impact of an event. Critically, an insurance policy alone does not cover your duty of care obligations outlined in ISO31030.
However, a constructive relationship with your insurer does bring a number of other benefits. It can help you understand the extent of your coverage, including access to third parties, including for malicious risks such as cyber crime, kidnap or activism. Your insurer can help you integrate those services properly.
Additionally, brokers will often have useful insight into relationships between insurers and assistance or specialist risk management service providers, as well as being able to recommend which are the most suitable providers for your company’s needs. They can also help highlight duplication, such as coverage for one type of event through two or more policies, or access to assistance services through existing policy cover.
As with an insurance policy, giving your employees access to a third-party provider during or after an incident is not a ‘magic bullet,’ and certainly does not in itself fulfil your duty of care obligations.
Global access programmes. Companies often outsource such activity to travel risk management companies, many of which offer a ‘one stop shop.’ While a prudent option for many, this requires informed engagement with potential providers if you are to ensure you have taken ‘reasonable’ steps to support your employees. A robust TRM programme will look beyond the sales pitch to understand the practical capabilities.
All service providers have strengths and limitations. Caveat emptor applies as much here as anywhere else, and assuming your provider’s services are adequate might not be a defence in court. The best risk services companies will provide a transparent account of the full range of their capabilities. A lack of transparency about specifics - the use of sub-contractors or its accreditation programme, for example – is a ‘red flag’ that their other capabilities might not be as robust as their marketing claims.
Additionally, having access to several programmes –one or more insurance policies backed up by a direct relationship with a travel risk service provider – might not give you more options, especially in a crisis, when demand for vehicles, accommodation, airline tickets and charter aircraft seats outstrips supply. Your assistance provider might be one of many competing for the services of a single local transport company, or for seats on someone else’s charter. Your options might simply be different routes to the same services, with long waits involved: it is better to know this advance than to find out during a crisis.
Risk monitoring and reporting. Risk service companies offering travel risk management services almost always include a risk monitoring service as part of a ‘global’ package. As with their other services, it is important to understand the capability behind the marketing pitch. Smaller regional-focused providers often have a better understanding of cultural nuance, as well as having their own ‘boots on the ground.’ It would be worthwhile for companies with an enduring interest in specific countries or regions to identify smaller, regionally based providers who can offer a more localised service, including greater insight into medical or security risks than can be gleaned from public information. (Such providers are likely also to be part of the network of the large global providers - and dealing with them directly is often more cost-effective.)
Building an effective TRM programme is essential to allow a company to fulfil its duty of care commitments, as well as its moral obligations, to its employees. ISO31030 contains extensive guidance to establish and maintain a set of robust policies and procedures, which are based on established risk management principles.
However, implementing a robust TRM programme requires additional important steps. It should involve constructive and transparent discussions with a range of providers, including an insurer and risk management providers. This should involve an objective appraisal of their capabilities, methodology and assumptions in the context of your potential exposure and risk appetite. This will help identify and close actual or potential gaps, and also avoid unnecessary duplication and costs. Investing time now to gain that clarity is likely to pay off before an incident or during a crisis.
Should you have any enquiries regarding how we can support you this area, please contact WTW’s in-house consulting practice, Alert:24, via the below contact details.
