This chapter discusses what it means to have your own internal crisis response plan, and the key components of one, as well as how it works in concert with third-party resources to manage incidents as they arise.

What constitutes a crisis within the framework of travel risk management?

Although the answer may vary from company to company, the general definition is that a crisis is “an incident with the potential for severe bodily injury, loss of life, or mass travel delay.” This definition is very subjective and is broadly used on an indus- try level. On an organizational level, depending upon a company’s culture and risk threshold, a crisis can be defined as an incident that impacts a distressed individual traveler, a loss of company property with the potential for intellectual property loss, gross misconduct of an employee or traveler that could impact the company’s reputa- tion, etc. One might consider natural disasters or terrorism in the context of travel- related crises. However, depending upon how one views a situation, a company could easily consider a senior-level executive being arrested for solicitation of prostitution in another country while on business a crisis. The potential damage that such arrest could do to the company’s image should the incident be leaked to the press could be difficult to manage. Another example might include the inability to get key personnel into facilities or critical business meetings because of third-party or environmental interference, such as border closures as a result of medical quarantines or civil unrest.

Again, each company’s approach to risk is different, so any sample program out- lines may vary from one organization to the next, but consider the following compo- nents when creating a crisis response plan for your company:

● Create crisis team(s)

● Designate team leadership

● Business continuity plans

● Business impact analysis by incident

● Eminent disruption/contingency plans

● Pandemic plans

● Contract third-party crisis response support

● Define crisis response protocols, thresholds, and escalations

● Designate organizational command center

● Define organizational crisis communications process

● Define reporting and status process

● Conduct crisis “readiness’ exercises

● Continuous process improvement

● Insurance and payment options for support services and case management

5

Building a Travel Risk Management Program 102

Crisis management team

First and foremost, companies need to designate an internal crisis management team that includes senior-level executives who are authorized to make final decisions as they are related to risk.

● Designate team members capable of making strategic decisions as needed when called upon, including hierarchy of decision making authority.

● Document each team member’s complete contact information, including afterhours infor- mation (always include mobile phone numbers). Make this available to contracted crisis response supplier.

● Ensure that alternates are in place for each team member in case of a planned or unplanned absence of a primary team member.

● Designate team leadership by protocol, region, or task.

● Designate information technology (IT) team leader and support staff contacts in case of intellectual property theft or loss, or hacking of company computer or mobile phone.

● Human resources must be represented on the team for employer and employee labor law and regulatory compliance and human capital support.

● Legal resources must be represented on the team for incidents involving violations of law between traveler and company or traveler and third parties while representing the company.

● Facilities resources must be represented on the team for utilization of facility resources and supplies, closest resources to facilities, and security effectiveness of facilities to shelter in place when necessary.

● Marketing and communications resources must be represented on the team to provide information and announcements, both internally and externally (including the media, law enforcement or regulators when necessary).

Travel risk management and crisis management should not exclusively be moti- vated by money or the bottom line, but because it is the “right thing to do.” However, when facing a committee or board that isn’t swayed by moral obligations or legal precedent based upon duty of care, showing the committee or board the Accenture research document “Markets Don’t Lie. Tracking a Crisis Through Share Price,”¹ which shows a correlation between a company’s share price following a crisis and should hopefully, motivate stakeholders to be more proactive.

Risk disclosures and crisis response

1. Third-party, nongovernmentally sponsored safety and risk intelligence must be made avail- able to all travelers and explained within the policy as to how and when this information is to be made available, such as:

a. Link to third-party database via company intranet b. Links to third-party database via traveler itineraries

c. Push of alerts and risk intelligence via e-mail based upon itinerary destinations (always provide risk disclosures to travelers via both push and pull communications, document- ing provision of and access to information within policy)

1http://spotidoc.com/doc/169011/corporate-crisis-management

Crisis response 103

2. Document emergency medical services and insurance provider details within policy, outlin- ing coverage and exclusions where possible (include in hotline protocols)

3. Provide a single phone number for all crisis response support to travelers for all medical and nonmedical emergencies, including, but not limited to:

a. Medical emergencies and evacuations b. Personal safety emergencies and evacuations c. Loss of property or intellectual property

Business continuity plans

Even though companies spend considerable time and effort on their business continu- ity plans, there are several components of a business continuity plan related to risk that should always be added and adopted as industry standards, addressing many

“what if” scenarios that can impact your business. Additions to be considered include:

1. Business impact analysis—What if the only international airport near your offices closes down or is shut down for some reason? What if your employees can’t leave the country because the area between your facility and the airport is under quarantine or the roads have been closed? What if there is civil unrest near or around your offices or wherever your key stakeholders are traveling to, and your people can’t leave the office or can’t get to the office safely for several days? What is the impact of these various scenarios on your business?

Companies should use a business impact analysis to help you determine what the potential losses or costs to the business could be in the event of general or sometimes known specific critical incidents. Examples to use for business impact analysis might be:

a. Natural disasters

b. Transportation disruptions c. Civil unrest

d. Biohazards and pandemics

Establishing some metrics for potential costs to the company because of the loss of productivity per day for individuals as well as corporate facilities will help with the values associated with significant interruptions.

2. Eminent disruption plans—What if access to your facilities was interrupted for a long period of time? What if all standard communications were down for an extended period of time at and near our facilities? What if access to water and electricity were unavailable?

Similar to a business impact analysis, eminent disruption plans are what appropriations and/

or arrangements have been planned for under the circumstances where travel or operations have been disrupted without much notice. These plans should always be addressed in layers or levels, with specific goals in mind at each level, starting with:

a. Risk assessment process before and after disruptions

b. Identification of regulations that establish minimum requirements for your plans c. Security and safety of all stakeholders (personnel, contractors, visitors, locally impacted

environment at large) i. Transportation

ii. Emergency response (fire, ambulance, etc.) iii. Shelter in place

iv. Employee assistance

Building a Travel Risk Management Program 104

d. Increasing supply levels of things like emergency food, water and medical supplies e. Alternative means of communications (hard line connections, satellite phones, Internet

connectivity, etc.)

f. Minimal operational functionality—define what is minimal functionality, from the indi- vidual to the facility

Additional areas to address in eminent disruption plans are potential violations of the FCPA (U. S. Foreign Corrupt Practices Act), particularly for publicly traded companies and their officers, directors, employees, stockholders, and agents, and other legal and ethical issues as a result of your plans and decisions.

3. Biohazard/Pandemic Plans—Whether from internal or external exposures to chemicals, viruses, bacteria, or other harmful substances, every business continuity plan must have a supplemental biohazard/pandemic plan. Using the World Health Organization’s pandemic plan checklist for influenza as an example, some high-level points to consider in your bio- hazard/pandemic plans are:

a. Preparing for an emergency i. Command and control ii. Risk assessments

iii. Communication (internal and external) iv. Legal and ethical issues

v. Response plan by pandemic phase b. Surveillance

c. Case investigation and treatment d. Preventing spread of hazard or disease

Defining contracted third-party crisis response support

1. First line of support for travelers—One hotline number to call globally for any kind of perceived emergency (excludes general travel reservations and changes, unless commercial travel is unavailable or traveler needs additional assistance in facilitating safe travel).

2. Case management and documentation of all incidents—Having an intermediary for col- lective recording and documentation of all interaction between impacted parties, company stakeholders, suppliers, insurance providers, etc., via the designated hotline, to ensure that company policies and protocols are being adhered to, from a cost, legal, ethical, moral and regulatory compliance perspective.

3. Recording of all calls.

4. Facilitation of company’s predefined crisis protocols (whom to call/when). When to handle situations that are preauthorized, for example, medical services under specified spending limits (e.g., based upon established protocols, providing automatic approval for payment of non-life threatening treatment under $50,000 USD (amount set by company protocol and/or insurance policies). Approval may be in conjunction with hotline, case management repre- sentative coordinating with the company’s designated insurer and medical service providers for the region of the world where the traveler needs treatment.)

5. Use of third-party resources (extraction, secure ground transport, executive protection, medical support and/or evacuation, etc.).

6. Coordination with client insurance providers or suppliers for service orders or payment of services.

Crisis response 105

7. Active traveler monitoring via tracking and outreach as directed by company policies and protocols.

8. Provision of alert and various other forms of risk intelligence, which is useful in mitigating and managing crisis response (both proactive and reactive disclosures).

Define crisis response protocols, thresholds, and escalations

Before you can fully define your crisis response protocols, organizations must clearly define who is in charge in a crisis situation. Does the decision authority change by location or type of incident? As with every aspect of risk management planning, it begins with assessments.

Essential assessments in crisis response protocol planning include:

1. Does your insurance or contracted emergency medical support and evacuations services provider cover your travelers globally?

a. Understand the coverage and its limitations

i. Will it guarantee third-party payment for services, or must the individual or com- pany provide payment and file for reimbursement later?

ii. What are the processes required by the insurers or service providers to qualify for coverage and payment?

iii. What exclusions or gaps apply to your coverage, if any?

2. Does your crisis response support, provide nonmedical security resources globally?

a. Are these services (e.g., nonmedical evacuations, secure transport, executive protection) covered by insurance?

i. Who provides the coverage?

ii. What is covered and where?

iii. What are the processes required by the insurers or service providers to qualify for coverage and payment?

iv. What exclusions or gaps apply to coverage, if any?

3. Are predefined authorizations for services set up with your crisis response support for costs up to a specific amount?

a. Who is designated to authorize payment for costs over these amounts (by incident type, region, or amount)?

4. How do policies impact crisis response protocols?

a. Maximum employees per flight b. Prohibited use of certain suppliers

5. What processes or types of incidents trigger activation of corporate command center or crisis task forces (e.g., anything that threatens business continuity)?

Bear in mind that crisis response protocols are triggered by an incident already hav- ing taken place. Unlike pretrip or avoidance processes or protocols, crisis response and mitigation protocols are “post incident.” Some general protocol categories include:

1. Medical-related support calls (nonevacuation)—Transfer and support of calls from travelers needing medical support, but not requiring evacuation, to client-contracted medical support providers/insurers. This usually does not require crisis response team involvement, unless

Building a Travel Risk Management Program 106

support exceeds an expense threshold above what insurance covers and/or policy sets. These incidents are often completely handled by third-party crisis support, with reports being sent to company stakeholders at preset intervals.

2. Medical-related support calls (with evacuation)—Transfer and support of calls from travel- ers needing medical support that leads to a necessary medical evacuation to either the traveler’s home country or the nearest equipped medical facility where the most appropriate support for the patient’s needs can be given in a timely fashion. This usually involves the notification of and communication with a crisis response team member, according to policy, especially if any additional guidance or approvals are needed.

3. Security-related support calls (nonevacuation)—These calls can range from fear regarding personal safety because of a stalker or civil unrest, or problems with the local authorities, and often are resolved by the third-party crisis response centers, by counseling via phone and/or engaging their local contacts near the traveler to provide support on an as-needed basis. Unless the incident involves the potential for excess liability or expenses exceeding amounts preauthorized for the third party to manage, a crisis response team would not likely be notified until receiving a copy of the reports documenting the incident. Within this cat- egory, companies would likely document with third-party crisis response support providers, things like who their insurance providers are for different types of security issues in differ- ent regions of the world, such as kidnap and ransom insurers and support, or if no insurers are on file for certain incidents, such as nonmedical evacuations, whether the company will pay directly for the cost of services rendered. What amounts are preauthorized, before requiring the involvement of a crisis response team member and from what region, are also documented.

Risk protocol thresholds can be related to pre-authorized expense amounts based upon things such as risk ratings for a location, which is a good example of how pro- tocols for different incidents and locations may vary (e.g., pre-authorization of armed and guarded ground transport may be part of a standard protocol for travelers in Egypt, but not in the UK, based upon different location risk ratings and other factors).

Examples of some risk thresholds incorporated into crisis response plans may include the exclusion of travel to or via countries with a level 3 or above risk rating on a scale of 1 to 5. Another example could be the qualification that payment for extraction or nonmedical evacuation not covered by insurance must meet predefined criteria. The difficult truth about crisis response is that sometimes employers often set monetary limits for certain types of actions. It’s just the reality of things, but at least when these limits are set, the employer has thought through these different use cases and is more prepared than those employers who have no policies or protocols in place in the event that internal or third-party crisis response and support is required.

Designate organizational command center

Generally, senior business continuity stakeholders are a part of the organizational command center, responsible for brainstorming solutions and taking part in crisis response exercises based upon policies and procedures that they create. Even so, you still need a chain of command in which someone is in charge and can make costly and/or critical decisions on behalf of the company. Regardless of the decisions made

Crisis response 107

during a crisis by delegates, the person in charge should always be informed, as delegates may have been acting in her/his absence, or were authorized to act by the primary stakeholder.

There should be a primary meeting place designated for the group, documented with address and phone information, along with an established conference line and/or web conference capabilities, as well as a central command center e-mail address as an alternative form of communication from the field for status updates, if other methods of communication are down. Separate from a global command center, regional com- mand centers should be considered as well, based upon the concentration of business facilities and assets in the respective regions. The use of a command center, whether physical or virtual, is typically reserved for incidents of extreme circumstances that your third-party crisis support cannot handle alone, based upon your predefined poli- cies, insurance, and established risk-and-spend thresholds.

Included in company policies and procedures should be a process for what trig- gers the activation of one or more command centers (based upon type or severity of the incident in question), and a method for notifying command center stakeholders, requesting when and where they should assemble. Once assembled, in conjunction with your third-party crisis response provider’s support, stakeholders should:

● Assess the situation based upon intelligence provided by their third-party support and any other appropriate resources

● Log/document the situation as much as possible

● Assign tasks to command center stakeholders

● Deploy resources

● Monitor status with continued documentation

● Provide executive briefings

Although there are some “virtual command center” software programs available, much of what they provide is redundant to what companies with best-in-class pro- grams should already have with a third-party crisis response and intelligence provider such as iJET, Control Risks Group, or Drum Cussac.

Define reporting and status process

Acknowledgement of the situation, along with regular updates approved by senior leadership should be communicated to the company and sometimes externally via approved channels, including, but not limited to, intranets and extranets.

Hopefully, before an incident takes place, because of the travel and/or asset risk management platforms that employers have in place, a quick list of potentially impacted individuals and facilities can be identified and be used as the basis for a communications list in addition to key stakeholders and executives. These traveler tracking or asset risk management platforms should have the ability to not only auto- matically forward relevant alerts provided by your intelligence provider, along with updates, but also provide a conduit for any manual messages from your command center or key stakeholders to be sent via e-mail and/or SMS text message. Having this capability is a must. If you do not have it, and are procrastinating about obtaining

Building a Travel Risk Management Program 108

these features, as well as others, such as trip briefing disclosures, you are doing a dis- service to your organization and its travelers and potentially setting yourself up for excess liability.

Conduct crisis “readiness” exercises

There are four primary areas of crisis readiness to base your exercises on:

1. Emergency Management—Generally day-to-day processes for incidents that can routinely be addressed via third-party support and defined protocols. This is often managed in con- cert between security (if applicable), human resources, and your third-party crisis response provider.

2. Crisis Communications—The process by which an alert or incident exceeds the company’s threshold for acceptable risk and must be escalated and communicated to the general popu- lation and/or targeted individuals.

3. Crisis Management—How crisis response teams and command centers, along with third- party support, handles a variety of use cases from pandemics, civil unrest, war, terrorism, and natural disasters, to politically sensitive situations that could risk lives, investments, or the company’s reputation.

4. Security Management—How a breach of confidential data via loss or theft of intellectual property is handled, as well as how to react to any lapse or breach in safety or service pro- tocols for things like executive protection and physical security assets and services.

Continuous process improvement

Without a structured framework and plan toward travel risk management, and the means for measuring performance with metrics, continuous process improvement isn’t possible. The industry standard for a common framework is the TRM3 (Travel Risk Management Maturity Model) as mentioned and discussed in previous chapters.

Even though each company’s approach and protocols may be different in each key process area of the TRM3, if your program collectively addresses each of the KPA’s, you should have the basis for measuring improvement year over year when bench- marked against other companies.

In consideration of the TRM3 key process areas, some examples to be considered or reviewed year over year with respect to continuous process improvement are as follows:

● Have your total number of emergency medical and security claims decreased?

● Has the total number of annual calls to your crisis hotline gone down, because of training, pretrip mitigation, or for some other reason?

● What is your average response time for accounting for any impacted travelers once a crisis communication has been distributed/received (e.g., from the moment that employers are notified of an incident, until they have tracked and accounted for all potentially impacted travelers)?

● How many incidents were supported by existing protocols and third-party support services, versus requiring escalation or exception support?