Traveler-First Risk Management

Travel and human resources managers are no strangers to risk assessments. Whether performed in-house or left to a TMC or security advisor, there is generally some form of evaluation of whether a traveler could be put in danger when taking a business trip. But this is usually assessed on the location and the current environmental or geopolitical factors affecting that destination, such as natural disasters or military coups.

The Covid-19 pandemic has highlighted a number of areas in which corporate travel management can change for the better, and the safety and security of employees has risen to the top as a high priority for most companies as travel returns. With so many new factors creating potential hazards for travelers, how can businesses assess the true risk for each individual employee?

One idea floated in recent months is highly personalized risk profiles whereby travelers can disclose details about themselves, such as medical conditions, race, religion, sexual preference and other factors, that might increase their level of risk depending on the destination.

Some companies may already be putting together personal risk profiles for employees under a different guise and for a different purpose, according to Bruce McIndoe, president of McIndoe Risk Advisory LLC.

“The concept has been around for a while. A lot of companies call it ‘insider threat,’” McIndoe said, referring to situations where employees may be engaging in questionable business practices or personal gain in ways that are antithetical to company policies and ethics standards. “Companies collect data on an employee’s online activity or the types of communication they’re having. They will then create a score that shows the potential for an individual to be a higher risk than anyone else. The people that bubble to the top as the highest risk will get a lot more attention from security managers to make sure they’re not conducting fraud or creating other issues that could be detrimental to the organization.

Collecting data on the back-end is not the right approach for a travel program, rather it’s understanding how to handle sensitive data. “It’s been a long-term practice and I think insider [threat] teams are very familiar with the challenges of collecting that amount of data on an individual in terms of security, privacy and civil liberties. They’ve navigated those waters for years,” said McIndoe.

Translating for Travel

“What we’re talking about when it comes to travel is looking at the risk to the person rather than the risk of the person to the organization, but it can use a lot of the same technology and approach,” he continued. And rather than looking at the broader risks of a destination, McIndoe said companies could be paying attention to specific risk factors of the individual traveling.

“If I’m of a certain ethnic background and practice a particular faith, my risk profile, even within my own country, might be higher in some locations than someone with different attributes,” said McIndoe.

It sounds like good advice. After all, many companies navigate personal risk factors for female travelers, LGBTQ+ employees and disabled workers. But do employers invite claims of discrimination if they ask for details such as a person’s race or religious beliefs? McIndoe believes it’s all about the terminology.

“When I talk to companies on this topic, I try to couch it in the term ‘vulnerability’ rather than ‘risk’. What you’re really doing is creating a vulnerability profile—these are the personal factors that could, depending on where I’m going, increase individual risk.”

The approach could have expanded application for Covid-19-era business travel, said McIndoe. “In the current pandemic, if I’m immunocompromised and I come into contact with Covid-19, I’m at higher risk of becoming infected and seriously ill than a healthy 18-year-old.” Even as the pandemic wanes in certain geographies, traveler health is likely to remain a top concern for corporations and top of mind for travelers themselves.

But there are plenty of other attributes that contribute to a person’s personal risk profile, said McIndoe. For example, “Being gay is not a risk in itself, but it is a vulnerability if I’m in an environment with anti-gay sentiments. [Leading with a personal risk profile] is about identifying vulnerabilities in the context of the threat environment. If there’s a threat but I have no vulnerabilities, then the risk is lower for me.”

Could Risk Personalization Lead to Unequal Treatment?

Founder and director of intelligence at Tapis Intelligence Philip Stewart said he worries companies might become too focused on small details.

“Obviously, you have to manage the risk of everybody individually and consider their personal risk as much as possible, but if a profile showed that an employee identifies as LGBTQ+ and they’re going to the Middle East, but a colleague is straight and going on the same trip, would they get different advice because risks are different? Would the travel manager actively reach out to the LGBTQ+ person but not the other? I think you’d be treading on dodgy ground if you started doing that.

“Every traveler should get information about all the risk factors of a destination so they can come forward if they have any concerns or want to know more. Employees should be able to make informed decisions about their personal level of risk. I’m not sure it should be the company making those decisions.”

Looking at the prospects another way, however, risk profiles could have some advantage when it comes to identifying medical vulnerabilities. Dr. Luke Kane, medical officer at Healix International, said the pandemic has highlighted the need for businesses to have open and honest discussions with their employees about their health.

“I think there has to be a culture of trust within the organization whereby employees feel comfortable disclosing medical conditions that might put them at greater risk, and they should feel confident that the information will be safe and not used against them,” Kane said. “Companies need to harbor an environment of open communication, and employees should feel able to raise their hand and speak up if they feel uncomfortable about the questions being asked.”

Trust… But  Not So Much

Acquiring such personal information creates a tricky situation for companies. Asking employees about their religious beliefs, sexual preferences and health status might raise concerns about data protection, particularly with attributes considered highly confidential. With the rise of social media and in and era of increasing data theft, there’s a commensurate rise in awareness in how information can get into the wrong hands and the effect that can have on individuals.

There are also details employees might not wish to disclose to their employer, such as a woman in early pregnancy who wants to wait to inform her company in order to avoid potential discrimination because she will require maternity leave.

McIndoe believes one way to effectively manage the data and avoid unease for employees is to put it in their own hands so they can then decide what information to share and when.

“My recommendation is for companies to provide risk information or even a tool for people to run their own self-assessment without storing data and divulging that data to the company. They can fill out a form that doesn’t store the data and at the end they get a personalized recommendation based on their answers.”

Kane sees the issue differently. “If a company has made the decision to conduct personal risk calculations, they should be willing to collect and protect that data rather than leaving it to the discretion of the employee. If a person doesn’t want to share that information, that’s their decision, but if a firm has committed to operating profiles, they need to be in charge of managing the data.”

Kane also believes companies risk collecting too much data on their employees.

“Through my work with the [UK’s National Health Service] I understand the basics of the General Data Protection Regulation and I know that companies need to tread carefully. There have to be robust protections in place and employers should only ask for the information they deem to be essential for conducting risk assessments. Again, employees need to feel safe speaking up if they feel they’re being asked too many questions.”

Too Much Information

Tapis Intelligence’s Stewart said collecting such data could become too resource-heavy for many companies. “It’s potentially a waste of time because it would be quite labor intensive to maintain that data and I’m not sure how much benefit the profiles could offer. It’s an interesting concept, but how would it be managed? It would be very time-consuming to have either the employee or a manager ensure each profile is kept up to date.

“Risk management should be an enabler of business travel. It should open doors and allow people to operate in these new and challenging environments. If personal risk profiles or questionnaires add another layer of bureaucracy, I think it could be very limiting for a company’s travel program.”

There also could be regional differences in how employees—and governments—view the practice of personal risk profiles, particularly when it comes to disclosing certain health information. In England, Scotland and Wales, employers are subject to laws and regulations under the Equality and Human Rights Commission, which guarantee a person’s right to a private life. One regulation of particular focus now is the fact that companies cannot require employees to disclose their vaccination status, though with current country-by-country restrictions in place, a worker would obviously have to divulge this information if it means they cannot travel to a particular destination.

That stance differs from the U.S., where government contractors are required to be vaccinated against coronavirus and several airlines have instituted vaccine mandates. Some companies, like JPMorgan Chase, also have introduced business travel bans for unvaccinated U.S. employees and those unwilling to disclose their status.

It’s unclear how long such mandates will last or whether they will proliferate. One question is whether they can be legally enforced—certainly they will be challenged. Whether companies move forward with the concept of personal risk profiles remains to be seen. If they do, it seems clear that the information involved would be voluntarily disclosed for the benefit of the traveler, unlikely to be mandated and lack of a profile could not be blocker to business travel itself.

“If you deny a person the ability to travel for work and all the benefits that come with it, I think you risk stepping into the realms of discrimination,” said Kane.