For travel managers, risk management is a complex task. It requires open dialogue with external suppliers and various internal departments, and assumes a level of expertise that should position travel professionals as reliable specialists within their organizations. To fully assume such responsibilities, travel managers must understand and communicate to travelers information on numerous threats, as well as the corporate policies meant to mitigate them, at all levels local to global.
"If your scope of responsibilities is to warn and proactively inform on safety matters, you may be held to a higher standard," said John Caldwell, president of Caldwell Associates, discussing risk management last week here at the National Business Travel Association conference. "There a lot of questions about where the responsibilities lie, where it starts and where it stops."
Caldwell laid out various practical examples, hypothetical scenarios and questions travel managers should ask, ranging in topic from airline safety and credit card security to pandemic preparedness and regulatory compliance.
At issue is known risk, or "foreseeability," Caldwell explained. "Both the corporation and the travel management company have an obligation to warn of foreseeable dangers. You cannot transfer and delegate duty to the employee by way of a contract with third party," such as the TMC or travel supplier.
This begs the question of just how to define a foreseeable danger. "Foreseeability is a major defense for an employer against claims of failure to warn," Caldwell explained. "Did the company have legitimate information?"
Caldwell provided the example of a faulty engine on an airplane in use by one of his client's preferred airlines. "Is one bad test on Boeing 767 General Electric engine a known risk or an isolated incident?" he asked. "Most clients did nothing about this in terms of asking the airline for an explanation. We asked, and they told us we would have to get that information from the public relations department."
Caldwell also noted that some major carriers have outsourced certain maintenance operations to facilities in China and the Philippines, and asked if anyone had gone to those locations to inspect the facilities. No audience member had.
In raising questions about the reliability of low-cost suppliers, and describing commoditized purchasing as a possible "danger zone," Caldwell said "there never has been a time when people were buying more on price. Be careful that you are not buying so low that you are risking traveler safety."
As a result, Caldwell suggested that corporate clients ask airlines for accident rates and records of mechanical failures in requests for proposals, and then "continue that requirement under contract to report those statistics."
He also noted the increasing stresses on the air traffic system, potential safety concerns at foreign airports and "a lot of complacency" in reporting crimes at hotels. "How do travelers know the company has picked preferred suppliers that have been investigated and found safe?" Caldwell asked. "It is clearly a high-risk environment."
He also noted how senior executives at U.K. companies can be deemed negligent if employees are involved in car accidents after driving for too many hours. "Fatigue is foreseeable," Caldwell suggested. He also said that companies may be liable if corporate vehicles are found to be faulty.
Another high-profile risk management issue is data privacy, a concern that should be addressed in several ways throughout the the travel process, starting with reservations. For example, the use of a company-approved travel agency or self-booking tool can limit the risk of data theft, and should therefore be communicated to travelers as another reason for complying with corporate policies. [Tracking the whereabouts of traveling employees and fostering compliance with Sarbanes-Oxley regulations are other reasons.]
"Who owns company travel data in the passenger name record?" Caldwell continued. "The employee? The global distribution system? The company? That has not been legally determined and may need to be addressed by contract."
Meanwhile, for companies managing travel in multiple countries, travel managers also must address differences in local data protection requirements and disclosure norms, as well as other cross-border travel regulations. For example, the U.S. government is proposing new rules requiring airlines to transmit PNR data before departing for the United States from foreign airports. "As a company, should you have travelers opt-in or opt-out to accept this disclosure?" Caldwell asked. "Should companies give notice? Travelers may not want private, sensitive information disclosed."
Data privacy issues also relate directly to corporate cards. In addition to recognizing that individual cards issued to travelers may increase the risk of data theft (as compared with centralized payment programs), travel managers might consider such other concerns as infringing on personal privacy by receiving detailed electronic folio data via card companies from preferred hotel chains.
And of course, there is the common data theft concern as it relates to stolen laptops. Caldwell explained how "the average theft of company data costs $5 million" in recovery and security costs. "Travelers will look to the company for protection from data theft, but where does travel management stop and risk management start?" Caldwell asked. "That needs to be sorted out."
Overall, Caldwell suggested that the odds of a travel manager being sued for not warning travelers about potential risks are "pretty remote." Nevertheless, he said, organizations should clearly define where the travel manager's role starts and ends, and where other professionals, such as those in safety, corporate services and human resources, bear responsibility. A common default policy, he suggested, is "to be proactive as a company and alert the traveler" to any known risks.