Please note – the views in the following feature are those of the author and are not necessarily endorsed by Safe Travels Magazine. Before travel, we recommend that you always do your own research, read travel advisories and buy appropriate travel insurance.

Mike O’Rourke at Advanced Operational Concepts

Twitter: @AOC_Security
Instagram: @aoc_security


Mike O’Rourke is a former US Special Forces soldier, and the CEO of Advanced Operational Concepts (AOC), a global security consultancy. Assisting clients in hotspots like Iraq and Afghanistan, as well as in Europe and America, he is a fervent proponent of Travel Risk Management. AOC focuses on Travel Risk Management and Risk Assessments, Onsite Security Assessments, Corporate Counterintelligence, Atmospheric and Open Source Intelligence.

Establishing a Travel Risk Management Program to Meet Duty of Care Obligations

On the night of November 13, 2015, as terrorists were striking multiple civilian targets across Paris, San Francisco based Salesforce had over 400 employees unaccounted for in the City of Light. That would rapidly change.

Companies with traveling and expatriate employees faced situations similar to Salesforce’s during this and other international incidents. How they responded, or more importantly, how they prepared in advance to respond, set those businesses who met their Duty of Care requirements apart from those that did not.

Duty of Care, broadly defined, is an employer’s legal and moral obligation to take prudent steps to protect workers from foreseeable risks in the workplace. Legal applications of Duty of Care for a traveling workforce vary from nation to nation. The UK, many other European Union countries, and Australia, for example, have laws on the books that apply Duty of Care to workers traveling abroad on behalf of their employers. The United States, however, has no specific legislation applying to employers in this regard. Still, one can easily argue the moral obligation remains.

Larger companies often have robust and rehearsed Travel Risk Management plans in force, enabling stakeholders to meet their Duty of Care obligations during a crisis. As the events in Paris were still unfolding, Salesforce CEO Marc Benioff turned to Twitter:

Salesforce currently has 451 employees in Paris, and 204 have confirmed they are safe. We need to hear from the rest of you! Call GO center!

GO Center is Salesforce’s Global Operations Center. This corporation, currently with over 26,000 employees, clearly had a plan and wasted no time putting it into action. Within several hours, each employee had checked in and was safe. A Tweet from the CEO wasn’t required, but it was certainly a powerful demonstration that Duty of Care is taken seriously at the very top of the corporate hierarchy.

The cost to companies lacking Duty of Care plans for traveling workers can be catastrophic and include:

  • Loss of life, serious injury, or emotional distress for employees.
  • Unplanned medical evacuation or remains repatriation costs.
  • Economic damage—facilities; earnings; business interruption.
  • Criminal charges in some countries.
  • Civil fines and penalties.
  • Cost of litigation.
  • Inability to recruit employees.
  • Loss of public goodwill; damage to brand.
  • Potential bankruptcy.

Investing in Duty of Care upfront is many times less expensive than the cost of failing to plan; however, too many companies have yet to make this commitment. Correcting this is not a herculean task, so there is no excuse for further delay.

Identify Stakeholders

Key is establishing a Travel Risk Management (TRM) program. Getting started does require a bit of planning, and that begins by assembling the stakeholders. Your existing Travel Management and Security departments should be in the forefront of TRM development. In smaller companies, the travel manager is often the tip of the TRM spear, while larger enterprises often place their security directors at the helm. Human Resources and Legal need a seat at the table, and early Public Relations involvement will help craft communications in the event of an incident.

Any successful TRM program requires a champion in the boardroom. Executive leadership can not only allocate resources during the startup phase, but also shift organizational priorities to meet the needs of a sudden crisis. C-suite involvement also conveys the message that Duty of Care is a priority. Salesforce CEO Marc Benioff sent that message loud and clear.

Establish Strategic Policy

A TRM policy must be created to demonstrate and focus an organization’s commitment to providing adequate Duty of Care to their traveling workforce. Think of it as the TRM strategic vision. This policy should cover the intent of TRM, as well as assigning key responsibilities and the general “how” of implementation. Integrate the TRM policy with the overall company Risk Management policy to avoid “stove-piping” complimentary efforts.

Assess Risk

Adopting a method of assessing risk, both in a location- and company-specific sense, is essential to understand the security, safety, and medical risks in those parts of the world where the organization does business. Included is not only initial intelligence collection, but an ongoing effort to maintain a clear operational picture. Intelligence collection is often outsourced, but internal assets such as reports from the field, site visits and debriefing returning employees should not be overlooked.

Individual travelers, also TRM stakeholders, are a key risk assessment factor. Is the employee healthy enough to travel to an austere location where medical care is scarce? Are there other foreseeable risks that might disqualify one employee from a particular assignment but not others? While the modern work environment rightly loathes profiling employees based on factors like race, gender or sexual orientation, there are parts of the world where prudent Duty of Care demands consideration of these factors prior to authorizing travel.

Risk Assessment is a living process, always in motion, devouring new information and constantly challenging previous assumptions.

Planning, Policies & Procedures

Utilize the risk assessment results to develop general (global) and location-specific TRM policies and procedures that govern travel management and the traveling employees. This can include how emergency notifications are pushed down to field offices, or up to headquarters from the field and employee check-in requirements during an emergency. Crisis management plans—previously rehearsed—dictate how corporate headquarters reacts to and manages incidents and emergencies.

Educate, Train & Implement

The new Travel Risk Management program must be clearly communicated across the enterprise at all levels, including reaching out to those already assigned or working abroad. Employees and managers on both sides of TRM require training as the new policies and procedures are brought online. Poor execution here will likely result in internal compliance issues, which can rightly be traced back to management’s lackluster TRM rollout.

Implementing TRM involves oversight from the relevant levels of management as employees traveling or assigned abroad are tracked. Travelers and expatriate workers also have a Duty of Care responsibility to their employers, which they exercise through policy compliance. Proactive communication is essential in both directions in the event the situation on the ground changes. It is always better to push communication than it is to pull it.

TRM implementation also encompasses reacting to emergencies, assisting travelers in distress and conducting evacuations when required.

Analyze, Re-evaluate & Start Over

After an organization has activated its TRM program, the results must be measured and analyzed to improve efficiency, effectiveness and compliance. Lessons learned must, in fact, be learned.

Throw away what doesn’t work, and fill identified gaps or shortcomings. Policies and procedures should be modified in a thoughtful manner based on a careful evaluation of the data.

Once brought to life, TRM is not a static monolith. Drop the idea that TRM has a beginning and an end. Rather, think of it as a rotating circle where one part of the process leads to the next, which leads to the next and so on in an endless loop.

How smoothly your Travel Risk Management program meets your legal and moral Duty of Care obligations is tied directly to how well you start it rolling. Business leaders to whom the TRM concept is new should not be afraid to look outside their companies. Security consultants understand, or at least should, that each organization requires a bespoke Travel Risk Management plan, rather than a one-size-fits-all approach.

Whether you seek outside assistance, or stay in-house, your Duty of Care requirement remains the same. Those traveling abroad on your behalf deserve your full measure of devotion.

Like what you read? Sign up here for our free Daily Updates.

We also send out a Weekly K+R Update, bundling together all the kidnap, ransom and extortion news of the week in one easy to read newsletter. (Same form – options at the end.)

 Other ways to stay up to date:

Follow and subscribe!

Follow us on Twitter, LinkedIn, and Facebook. You can also subscribe to our free newsletters - the Daily Updates and the Weekly K+R Update.