The corporate departments most often thought to own
corporate risk management policies and processes are security, risk management,
human resources and legal, but a recent survey of 125 global companies found
that travel management was most frequently identified as the process owner.
[Please click here to
view the digital edition of BTN's special research feature on travel risk
management, featuring all charted data and downloadable as a pdf.]
In the Inform Logistics poll conducted in May and June 2012,
35 percent of respondents said their firm's travel departments owned risk
management while 30 percent identified security. Another 18 percent indicated
HR, 8 percent cited senior management and 9 percent said risk management was
outsourced.
"It's a little worrying because people aren't always
sure who is in charge of risk management within corporations," said Inform
Logistics managing director Ian Flint, addressing attendees at The BTN Group's
Travel Management 2013 conference in December. Just under half of respondents
to the Inform Logistics survey said their companies have a security department,
but 60 percent said a risk management plan is in place.
Hospitality Lawyer founder and president Stephen Barth said
a key issue is "that there are very few attorneys in your corporate
offices who understand this realm very well. Many think workers' comp covers
all this," or that risk management departments should handle all such
matters. But issues often must be addressed with policies on workers' comp and
employment laws, travel and risk policies and duty-of-care provisions.
Part of the problem, according to conference speakers, is
the breadth of risk management initiatives needed to protect assets, whether
buildings, offices, intellectual property or people. Traveler tracking could be
just one element of a travel program that also might include policies and
compliance, training, pre-trip notifications, en route notifications,
evacuation services and limits on the number of executives or employees allowed
to fly together. Risk management programs also could involve protecting data
and ensuring compliance with duty-of-care laws.
Barth encouraged attendees to vet the security of their air,
hotel and rental car suppliers, "because all those companies have the same
duty to their employees that you do to yours. They all need to be on top of
this and should have data for you about safety and security."
Risk Management Dream
Team
Barth asked, "Who needs to be on a corporate enterprise
risk management team?"
"Anyone who has passion about the problem,"
responded iJet founder and CEO Bruce McIndoe. "Travel and security tend to
be ones who bind together to make it happen. But they realize that they
typically need to bring in HR. Risk, HR, travel and security tend to be the
four I see."
PricewaterhouseCoopers security director Daniel Pocus said
those four components are involved in his firm's program: "We integrate a
lot of the processes, especially international ones in high-risk locations, so
we really need to communicate effectively with our people in travel and HR."
In addition, Flint suggested that companies will "need
IT as they need to integrate systems and portals."
Pocus said that point is well-taken. "Sometimes we go
to places that really are a large intel risk," he acknowledged, adding
that PwC's IT department "covers it well to ensure that we have a blanket
approach to make sure it all works [with] communications to reach out to people
quickly."
'Split-Second
Decision' Training
Once a risk management program is in place, how do
organizations inform travelers, their managers and senior executives?
"The biggest challenge we have is to articulate that,
to make people really aware of the processes that make it safe for
stakeholders," Pocus said. "Of course we address it, especially when
people travel to high-risk locations. The idea of awareness is really
important."
Barth noted that many companies have started testing
employees. "A 10- to 20-question test," for example, may be used to
ensure would-be travelers understand policies, he said, allowing managers to
say, " 'You're not going anywhere until you demonstrate' " policy and
safety knowledge.
PwC has started to train all new hires on the topic. "To
get them really early in on the process is extremely important," Pocus
said. "We find it needs to be from the bottom up, and [we work] with
leadership to make sure they can articulate it down too."
He explained that PwC uses a combination of travel security
videos and online and in-person hostile environment and emergency aid training
to ensure travelers are aware of risks and the actions they should take.
Despite high return on investment of training initiatives,
iJet's McIndoe said training is the risk management component "least spent
on" by companies. "This is all about behavior modification. It's
about making that split-second decision. The only way you're going to change
people's behavior is training, telling them what you want to do and why."
In the Inform Logistics survey, 17 percent of respondents
said their firms provided pre-travel risk training and 23 percent said they
provided crisis and emergency management team training.
Speakers said it is unclear how companies should deal with
employees who decline assistance, won't heed warnings about travel to specific
hotspots or turn off their location-based devices.
Policy Shortfalls
Policy is key to risk management programs, and speakers
urged attendees to take a long, hard look at all aspects of theirs. Most often
lacking in travel policies, McIndoe said, are components that actually address
risk management. "I've been through dozens and dozens of travel policies
and can probably count on one hand the number that actually addressed risk
management," he said. "They focus on class of service, upgrades and
reimbursements. It's all about the expense side of travel. Seldom do I see
information about risk management—even simple things like, when I rent a car,
should I elect the insurance or not? You would think companies would
communicate that."
While companies in North America "regularly update
travel policy and keep needs in mind," that isn't often the case
elsewhere, according to Flint. "Often when you look outside North America
or at a fragmented company, you'll find that they have policies, but they're
often outdated," perhaps by a dozen years.
McIndoe illustrated the point with a story about his
inability to obtain copies of a business travel accident policy during a recent
trip to Asia. He said that after several requests, he learned the policy had
expired two years earlier because "the one who had been renewing it left
and no one had picked it up."
Traveler Tracking
Though other aspects of risk management are important,
McIndoe acknowledged that as much as 90 percent of most programs are about
traveler tracking. He said that itinerary-based tracking solutions "fall
apart when an incident occurs as people scatter to the wind and no longer
follow their original plan. When it comes to risk management, it continues to
be the highest-value data. You want to know before people do something so you
can actually mitigate and do something about it.
"People always ask me [about] GPS versus PNR,"
McIndoe continued, referring to passenger name records. "If you want a
risk management program, get the PNR. If you want a disaster response tool, get
the GPS."
Itinerary data augmented with a mobile device or
location-based tracking is a crucial component, except during such incidents as
Hurricane Sandy, "when there's no power, cell phones or means to get a
hold of people," he reminded attendees. Those who borrowed phones still
may not have known their company's emergency number, just one example of the
many "issues at the pointy end of disaster that are tough."
Perhaps that is why 52 percent of respondents to the Inform
Logistics survey described their companies' response to major disasters as "reactive,"
compared with the 34 percent called it "proactive."
This report
originally appeared in the Feb. 4, 2013, issue of Business Travel News.