Chapter 2 defines key performance areas (KPAs) and building blocks to be used in assessing your travel risk management (TRM) program or lack thereof. This chapter addresses important questions you should address and provides examples in each of the areas that may be useful when building a TRM program.
The following is a breakdown of TRM program building blocks with important questions and thought-provoking examples in outline form.
Planning
Even though each company is different, and the level of complexity and sophistica- tion for how each company relates organizational goals and policies to TRM varies, a company’s planning phase should consider the following:
1. How will your policies affect your program and your suppliers, and their service level agreements?
a. Will you require your travel management company to commit to a specified process workflow in support of your TRM program?
i. Risk based, pretrip approvals.
ii. Identification and “black listing” of suppliers deemed unsafe.
iii. Processes and timelines for crisis response protocols in the event of a critical inci- dent requiring traveler outreach and reaccommodation.
iv. Timely pretrip reporting of flights exceeding maximum number of employees allowed on the same flight, as well as special limits on key executives traveling together.
v. Ensuring that in the event of a crisis, your travel management company knows how to report and refer distressed travelers to the appropriate contacts for any support beyond travel logistics, and to not offer any safety and security advice or assistance.
vi. Verifying that your travel management company is trained on reporting specific risk policy violations identified during the booking process to the company prior to travel (e.g., booking a rental car for use after a redeye domestic flight or overnight international flight).
b. Will you rely on key airline partners for support when it comes to company needs in the event of a crisis, or is it every man, woman, and child for themselves?
i. Will they guarantee seats on oversold flights for travelers with qualifying mileage pro- gram status or participants in VIP/special services programs? Will their partners comply?
ii. Which airlines will support you in the event that you require a charter?
1. How quickly can you arrange one?
2. Is the process streamlined?
3. Who is authorized to order a charter, and what is the internal process before placing the order?
3
Building a Travel Risk Management Program 74
c. Will your annual hotel program incorporate requirements related to safety and security best practices and protocols?
i. Will your largest preferred supplier hotel chains give you senior-level security con- tacts that can act globally?
ii. Do they have designated stakeholders at each property that are both trained and responsible for handling security issues arising from assaults, thefts, and other inves- tigations in conjunction with local authorities?
iii. In the event of a large-scale critical incident with a shortage of rooms, will suppliers help to “shelter in place” your travelers, even if all rooms are sold out (e.g., use of meeting rooms and other properties for temporary housing during events such as ash clouds)?
iv. Do the properties adhere to fire safety, evacuation, and appropriate security proto- cols (e.g., in high-risk destinations, is attention given to how close cars can pull up to the main entrance doors without first passing through security)?
v. What are their medical emergency protocols, and do they have defibrillators onsite with trained personnel?
vi. Will you allow usage of shared economy accommodations such as Airbnb, VRBO, and Homeaway?
d. Ground transportation providers (private cars) i. Will they follow security protocols?
1. Airport or on location “meet-and-greet” services (no individual names on plac- ards; only company names or fake company names).
2. Provide driver photos, names, and contact info in advance of arrival.
ii. Do they have sufficient insurance coverage?
iii. Will you allow shared economy-type providers like Uber and Lyft?
e. Corporate car rental providers
i. Will they provide contracted insurance coverage for best available rates?
ii. What is your contingency plan for those locations where contracted insurance cover- age is excluded from the terms of your agreement?
f. TRM Suppliers
i. Do they provide a single number for all travelers to contact for any kind of emer- gency (medical, security, theft, translations, trouble with local authorities, etc.) ii. Have you established detailed security protocols and contacts for how to handle any
situation, including, but not limited to:
1. Key global and regional contacts for different types of crises, and when to contact or escalate decision support.
2. Under what circumstances and amounts can the provider handle a situation and authorize payment without authorization and/or escalation?
3. Do they have all of your “Business Travel Accident” or other insurance policies and contact info for coordination and case management under appropriate cir- cumstances, or can they provide any of the following (emergency medical service providers, security-based service providers, kidnap and ransom service/insurance providers)?
4. Do they have specific use cases outlined whereby a process would be triggered that would involve traveler outreach for safety purposes (e.g., safety outreach and communications with travelers identified as directly impacted by an event such as natural disaster)?
5. Are there separate protocols and procedures in place for expatriates and family members, versus transient travelers?
Building a proactive travel risk management program 75
2. Response planning and preparation
a. Documented plans for how to handle the following:
i. Pandemics or biohazards ii. Physical assaults
iii. Transportation accidents (airline crashes, car rental accidents or rail derailments) iv. Civil unrest
v. Arrest by local authorities vi. Kidnapping
vii. Natural disasters
viii. Incidents impacting business continuity
Training
There are several aspects and levels of training related to TRM that companies must actively develop, administer, and manage, including the following:
1. New-hire policy and duty of loyalty training a. New-hire risk policy orientation
i. Thorough travel and security policy and process review and documentation in all new-hire packets
ii. Business Travel Accident and any other relevant insurance disclosures
iii. Safe traveler training prior to conducting business travel, including crisis response program information
1. Online and offline authorized booking process
2. Pretrip approval process for high-risk destinations and/or other established criteria
3. Hotel fire safety training 4. Ground transportation safety 5. Female business traveler training 6. Crisis response training
a. Who to call b. What to do c. When to do it
iv. Liability waiver for travel and/or security policy violations (e.g., open booking) v. Signed acceptance of all training and policies
b. Duty of loyalty training
i. Clearly documented responsibilities for travelers, contractors, expats, and accompa- nying family members for:
1. Ethical behavior 2. Cultural sensitivity 3. Policy compliance
4. Compliance with legislation and law enforcement in applicable jurisdictions c. Destination-based training
i. Specialized training for travelers prior to going to places like parts of the Middle East, Africa, and even China, when available
ii. Biohazard awareness (e.g., Ebola)
Building a Travel Risk Management Program 76
d. Electronics and intellectual property training i. Safety precautions for devices such as:
1. Laptops 2. Smart phones 3. Tablets
ii. Internet connections
iii. File sharing and access to sensitive documents via:
1. Cloud computing 2. Flash drives 3. Device hard drives 4. E-mail
5. Virtual private networks e. Survival training
i. During and after an abduction or kidnapping ii. Natural disaster
iii. Assault and battery
iv. Self-defense (when necessary) v. Active shooter
2. Travel policy, process, audit, and safety training for corporate administrators a. Administering and supporting policies
b. Identifying policy noncompliance and violations before, during, and after trips (expense reports), and the traveler’s responsibility to disclose
c. Support of pretrip safety precautions as part of standard travel planning checklist d. Standardized small- and large-meeting processes and safety protocols with authorized meet-
ing and event planning suppliers who contribute and support the company’s TRM program 3. Travel consultant training (from travel agency or travel management company [TMC])
a. Certification process for agents on company’s travel policies regarding cost, preferred supplier, process, and safety
b. Clearly outlined and understood processes for bookings that either do or do not require any exception approvals
i. Trigger reporting and/or approvals process when necessary, as dictated by policy or service-level agreements
c. Understanding where to direct distressed travelers in the event that they receive calls from someone needing more than travel logistics/reservations assistance, including non- commercial travel evacuations assistance
d. Crisis response process in the event of a “critical incident” (usually defined as an event that has the potential for severe bodily injury, death, or mass travel delay), which may include:
i. Global reporting and distribution on potentially impacted travelers to key stakeholders ii. Specialized communications and reporting to key regional stakeholders, under
specified circumstances
iii. Communication of “all clear” when no potentially impacted travelers are identified iv. What to do in the event that there are potentially impacted travelers, including, but not
limited to, reservations assistance, special approvals (e.g., for business or first class), etc.
4. 24 × 7 Monitoring
a. Self-service monitoring using:
i. TMC traveler tracking solutions
ii. TRM company traveler tracking solutions (all requiring TMC data)
Building a proactive travel risk management program 77
b. Full service or automated monitoring using:
i. Rules-based automation to automatically generate and distribute reports containing traveler itineraries of travelers who are considered at risk using third-party risk- rating content
ii. Crisis management staff from contracted TRM firms, actively monitoring traveler movement before and during trips, to identify any potential need for traveler out- reach and support
First-generation traveler tracking software were merely “dots on a map” based on travel agency/TMC reservations data alone. A decentralized travel program would find benefits from using a TRM firm’s platform, which can consolidate, scrub, and scrape nonstandardized reservations formatting from multiple travel providers into one database. Although this still works well with a consolidated program, often best practice dictates that the most effective travel programs are consolidated with one global travel management company, in which case the TMC’s solutions can be considered, sometimes at a more competitive price point.
However, buyers must beware when purchasing any traveler tracking solution from a non- TRM/consultancy firm, unless the solution in question is deeply integrated with intelligence and crisis response networks and services from a reputable TRM leader. Because TRM is such a hot topic of discussion, and companies now realize that they must have something in place, there are many solutions providers in the market bidding for a piece of the potential market.
The majority of solutions not provided by or not in deep collaboration with one of a few world-class leaders in TRM are insufficient to truly support a comprehensive duty-of-care/
TRM program. They are sold more as products than as solutions, and TRM programs must always be designed and maintained as solutions-based programs, not merely software-based.
More recent versions of traveler tracking/monitoring solutions incorporate either GPS (latitude/longitude) locations or corporate credit/charge card preauthorization data, as a supplement to TMC reservations data. A traveler could land in London on a Tuesday, but be 200 miles away on Thursday before the traveler’s return flight home on Sunday.
These additional data sources can be a huge help in locating travelers more precisely in an emergency.
However, it’s not enough to simply know where your travelers are. The ability to consolidate or match travelers’ location data with active alert intelligence (issued by true intelligence analysts, not newswires or networks) is critical for efficient monitoring and pro- active traveler risk management. Of course, one can receive an alert or see something on the news and run a report, but having the ability to automatically run a report anytime an alert is issued that matches your travelers’ locations, is immensely more efficient. Additionally, these systems commonly allow the users to communicate via e-mail and/or SMS text mes- sage with travelers listed on reports, and can also actively forward alerts or destination specific risk reports relative to their travel itineraries, which are “must haves” in terms of a company’s “duty-to-disclose” responsibilities, respective to their duty of care.
The distribution of these disclosures (alerts and risk intelligence reports) must never be done manually because manual disclosure would be subject to human error. This can- not be stressed enough. Do not attempt to cut corners and save money by subscribing a travel arranger, administrator, or anyone else to an alert subscription and depend upon them to manually review and distribute these to the appropriate travelers. This is a very bad practice, and subjects the company to needless liability. These kinds of disclosures should be sent always automatically via e-mail, at the time of booking travel reserva- tions or at the time changes to a booking are made that introduce new destinations to the itinerary plans.
Building a Travel Risk Management Program 78
The following is likely repeated several times within this text, but is worth repeating because it is so common. It is commonly believed by companies that they adequately man- age risk by knowing where their travelers are (traveler tracking), and by administrative assistants manually forwarding alerts to travelers via e-mail, or even asking their travel agents to do it. This approach is not only a bad idea, it is an incomplete solution, failing to address each of the building blocks of a proactive TRM program, as discussed in this chapter. Travel agents, who get involved with manually forwarding these types of informa- tion on behalf of their customers, are not only taking on some of their client’s duty-of-care responsibilities, but are also assuming major liabilities as well, establishing themselves as the source for the delivery, timeliness of delivery, failure to deliver, and the accuracy of any information shared, which is a 24/7/365 days a year responsibility.
Crisis and incident response hotlines
Historically, some companies used to view a medical emergency hotline as suffi- cient in terms of what they provided to their travelers in the event of an emergency.
However, we now know that the definition of emergency has greatly been expanded and the full use of a best-in-class crisis response hotline can even extend beyond TRM, and can incorporate aspects of operational risk management (ORM) for things such as facilities and supply chains. However, from a TRM perspective, travelers need one number globally for any kind of emergency, including, but not limited, to the following:
1. Medical emergencies and evacuations
2. Security emergencies and evacuations (civil unrest, natural disasters, harassment, etc.) 3. Emergency translation services
4. Assistance with local authorities (police, local and federal governments, consulates and embassies)
5. Executive protection
6. Secure ground transport coordination 7. Kidnap and ransom incidents
While these hotlines may provide case management and some of these services through their own provider networks, they should also work with contracted service providers and insurers on behalf of the company, as part of their customized security protocols as defined and documented during the implementations process of a crisis hotline. Custom protocols could include, but not be limited to:
1. Collaboration, case management, and billing assistance with third-party insurers and service providers, such as medical and K&R (kidnap and ransom) suppliers
2. Preauthorization of services up to predefined spending limits, based upon company-defined criteria
3. Who to contact when situations exceed preauthorization limits
4. When to wake up key security contacts in the middle of the night for decision support 5. Based upon location
6. Based upon type of incident 7. Based upon cost
Building a proactive travel risk management program 79
A common question for this type of consolidated hotline is “Why do we want a
‘middle man,’ when we have some of these relationships in place already?” The fol- lowing items are just a few answers that address this type of question and explain why such a number is beneficial.
● One number for all employees, contractors, and expats is more efficient and less confusing than several different numbers for different requirements.
● All calls should be recorded and managed as cases with detailed reporting on all conversa- tions, requests, service orders, and activity related to the incident. This is typically exactly what employer’s need when in the midst of litigation.
● Facilitates preauthorized support services when needed.
● Provides vetted supplier networks for services required, when the client doesn’t have a provider or insurer in place for the incident in question.
● Billing/invoicing assistance when necessary.
● Customized protocols (processes) based upon your company’s culture, needs, and risk thresholds.
● Case management should mean that the hotline provider doesn’t just transfer calls to the appropriate customer contracted supplier, but sticks with the traveler through the entire process from start to finish, until the traveler is safely home, documenting each party’s involvement in managing the incident. Such documentation is necessary in cases involving litigation.
Feedback
Establish information collection points, whereby you can document and review simi- lar incidents over time and create your own continual process improvement workflow.
Information collection points include:
1. After a crisis communication distribution:
a. Natural disasters b. Civil unrest c. Biohazards d. Terrorist activity
e. Transportation disputes/disruptions
2. Posttrip, traveler interviews after returning from high-risk destinations.
3. Incident rehearsals or crisis response exercises with key suppliers.
Whether you follow Six Sigma or other methodologies, you must have a defined process, controlled variances, and, most of all, data (feedback) to measure and analyze.
When it comes to creating a well-rounded and proactive TRM program, further to the Six Sigma reference above, to have continual process improvement with con- sistent feedback and data, companies must approach TRM as a holistic and highly managed solution that is critical to their ongoing success, reputation, and operational readiness. One cannot simply buy some technology and believe that a “turnkey”
approach is sufficient. It is not. The best programs that most effectively manage duty of care, are a collaborative collection of suppliers, working together under a managed
Building a Travel Risk Management Program 80
program structure with one or more key stakeholders within the organization with responsibility for TRM. This will require a noticeable investment, but consider the cost of not being prepared and being found negligent. If you were a shoe manufac- turer, you would have to sell an awful lot of sneakers to cover the likely damages paid to a claimant in the event that the claimant prevails in a duty-of-care case against you.
Common mistakes companies make when starting out with their first TRM pro- gram include:
1. Travel Insurance—Using consumer-based travel insurance products for broad, enterprise- wide use. Not everyone who inherits the responsibility of managing travel within an organization has travel industry experience, and sometimes when faced with decisions early in their training about the kinds of products to source, they refer to consumer-based prod- ucts, such as trip-based travel insurance. These kinds of products often have coverage not needed by a company (may be covered in other policies, if at all), charge excess premiums based upon age or preexisting conditions, and many will not preauthorize or arrange direct payment to hospitals and clinics abroad, requiring the customer to pay for all expenses in advance and file for reimbursement upon returning home. This could result in many thousands of dollars in out-of-pocket expenses without any guarantee of payment for those expenses deemed ineligible. Additionally, if a delay in payment results in delayed or denied treatment, employers could end up liable for additional damages.
2. Services, Support, and Gaps in Coverage—Emergency medical memberships or “network access” types of programs can be sold at a company level as well as at an individual level, and are often mistaken as insurance. While membership sometimes covers the cost of medical evacuation, and access to medical advice or referrals, they sometimes do not cover medical costs. Sometimes these kinds of memberships are purchased with this in mind because a separate insurance plan indemnifies the company from any expenses incurred through the medical membership’s referral/supplier network. Other times, clients can opt to “self-insure” and pay for expenses directly as incurred, or buy a supplemental policy with the membership to cover expenses. The mistake is not understanding the dif- ferences between insurance and network access, along with gaps in coverage.
3. Monitoring Only International or High-Risk Trips—Because so many TRM-based traveler tracking and disclosure products charge using a per-booking fee structure, companies get stingy and think that they can save a few bucks by negotiating a deal where they only moni- tor and pay for international trips or trips to high-risk destinations. This is wrong, for many reasons, such as:
a. A crisis can happen anywhere, from natural disasters and civil unrest, to acts of terrorism.
b. Major events can and do happen in low- to moderate-risk locations quite often.
c. If you are only actively monitoring international travelers, how can you effectively protect and fulfill your duty-of-care obligations to those domestic travelers, in from out of town, in the same city as your international travelers, where a bomb may have just gone off?
4. Insufficient Crisis Support—Having more than one number for travelers to call in a crisis (e.g., one for medical issues, another for security issues, etc.), or not having sufficient crisis support because you think that a medical services hotline alone is sufficient.
5. Overlapping or Extra Insurance—Understanding what a company already has in place in the form of business travel accident or other forms of corporate insurance, and working closely with your legal, human resources, and finance departments, can help to avoid the possibility of being overinsured.
6. “This Won’t Happen to Us!” Syndrome—Putting off or avoiding the implementation of a proof-of-life policy and kidnap/ransom insurance coverage.