Although totally understandable due to the dramatic events that regularly hit the headlines, the 'risk reality' of business travel is quite different to what managers fear. Survey results published by ABTA earlier this year revealed more than half of managers (59%) state that their fears for business travellers focused specifically around security and terrorism related incidents. But it's far more likely that a business traveller will be taken unwell, be involved in a road traffic accident or be affected by a severe weather situation than find themselves victim of a terrorist attack.
In a review of more than 2.5 million trips to the 50 most popular countries visited over the course of a year, only 5% of the incident alerts we published classed as higher threat levels. The vast majority of our alerts day to day relate to disruption on the travel networks (road closures, traffic accidents, rail delays etc.). Despite the increasing news coverage of terror related incidents, the likelihood of actually being caught up in such an event is still thankfully very slim.
The survey reported by ABTA also highlighted the unease managers feel about dealing with incidents (of any kind), with 53% stating that they felt underprepared to manage an issue involving their staff travelling on business. This result also echoes an emerging theme discussed at this year's ITM annual conference.
While certainly not the case in all organisations, increasingly we are seeing the role of the 'travel manager' being looked to for guidance, information and support regarding incidents from both travellers and other internal stakeholders within the organisation. This has become especially so over the last few years following major incidents in what are deemed to be safe environments (Paris, Barcelona, Brussels, London and Manchester).
In fact, in the absence of clear lines of governance and accountability, the travel manager is often taking on the responsibility of crisis and risk management to ensure the safety and wellbeing of their travellers, which in turn creates the anxiety and fear that these managers are experiencing.
As a risk practitioner dealing with clients daily, it would be all too easy for me to stoke the fire and take advantage of the understandable fears that many have. For me though, the number one priority is to get to grips with what risk means in order to make the right strategic decisions moving forwards. Having even a basic understanding of the fundamentals and therefore being able to 'sanitise' it to some extent, really helps in dealing with risk on a day to day basis and in those, still quite thankfully rare, times of major incident.
Understanding risk
To fully understand risk, it's important to go back to basics and recognise the differences between some frequently misunderstood and therefore mixed up terms - namely assets, threats, vulnerability and risk. So in the simplest of terms, what do each of these mean and why is this important?
Commonly quoted definitions help…
Asset = people, property or information. People can include employees, customers, contractors and others for whom you have a duty of care. Property includes both tangible and intangible items that can be assigned a value (from premises through to reputation). Information may include databases, software code, company data etc.
An asset is what we're trying to protect.
Threat = anything that can exploit a vulnerability, whether intentionally or unintentionally and has the potential to obtain, damage, or destroy an asset.
A threat is what we're trying to protect against.
Vulnerability = weaknesses or gaps that can be exploited by threats.
A vulnerability is a weakness or gap in our protection efforts.
Risk = the potential for loss of, or damage to, an asset as a result of a threat exploiting a vulnerability.
Therefore: Asset + Threat + Vulnerability = Risk.
So how do we go about managing risk?
One way is to simply impose strict limits on business travel but this is highly impractical and would be seriously damaging to business.
Fortunately, by understanding and assessing risk, we can manage it and in doing so, limit the likelihood of any negative impact on either the organisation or the individual.
In order to understand and ASSESS risk, you need to know two things.
- What are the likely threats or hazards?
- What are our vulnerabilities?
In order to MANAGE the risk, you need to bring in
- Measures to avoid the threats
- Measures to reduce the vulnerability
Assessing risk
What are the likely threats or hazards?
Even within individual countries or defined regions, threat types and levels can vary significantly and change constantly. Getting 'destination intelligence' from a reliable source that can cut through the white noise and provide expert insight and analysis of the potential threats is vital.
What are our vulnerabilities?
1) The organisation: Every organisation will have its own unique vulnerabilities whether these relate to the nature of the business (ie what the organisation does and whom it does business with) or to its own internal operating methods, policies and behaviours.
2) The individual: Individuals are just that — individual. Beyond their obvious socio demographic differences, the everyday behaviour of individuals can vary greatly. Remove them from their familiar surroundings and their behaviours can also be affected more than may be appreciated. Seasoned travellers can become blasé about risk believing they know what they're doing, failing to comply with policies, booking 'rogue excursions' or side trips. People become complacent or are simply unaware of how to act or react in certain situations. Add to that the stress and fatigue often associated with business travel and the cracks and vulnerabilities are suddenly very real.
It's therefore vital for organisations to really understand not just how their own operating methods may affect their vulnerability levels but also how the behaviour of their people can be just as, if not more, important.
Managing risk
Is it possible to avoid the threats?
Threats themselves may be out of our control but having the destination intelligence can play a great part in helping to avoid potential threats and, should avoidance be impossible, this awareness can significantly help in knowing how to prepare both the organisation and the individuals. Forewarned is definitely forearmed. This information should also provide organisations with the ability to decide on the appropriate course of action — alert, divert, stop or respond.
How can we reduce vulnerability?
Just having the above information goes some way to enabling the reduction of those vulnerabilities...but only if we act on the information at our disposal. Focusing specifically on pre-trip and active-trip phases, there are a number of areas under the direct control or the organisation that can reduce their (and their travellers') vulnerabilities. These range from having clearly defined (and adhered to) policies and procedures in place; to providing the appropriate levels of training for travellers; to having the mechanisms in place to locate, communicate with and assist travellers 24/7 as needed.
How does this work in the real world and in the case of an actual incident?
At the outset you need to ensure that you have a mechanism for good situational awareness. What's going on in the countries in which you operate, do business in and travel to? You need good factual timely information as without it you are working blind. These are your threats.
Once you have this and you become aware of any incident or threat the first thing to ask yourself is 'so what..?' In other words establish the context. Do you have an office in the vicinity, do you have any expats or business travellers nearby, now or in the coming days? If yes, it is now a potential risk and so it needs assessing.
This assessment means identifying how it could impact your organisation and/or people and to what extent. What are the potential consequences? You need to understand the level of vulnerability and the impact that it could have.
Then you need to determine how to treat it. Your choices are accept it, offset it eg insurance or mitigate it.
The diagram below really helps to understand this concept.
Keep in perspective
Yes, every now and again, the 'unimaginable' will happen, and organisations need to be prepared for this. But it's just as important to be prepared for the day to day incidents that are far more likely to occur.
Having a total understanding of risk and the individual components over which we have control is key. Although we can't change the threats or hazards themselves, we can be more aware of them and can reduce our vulnerability to them, which in turn, reduces the potential risk to both the organisation and its people.
Really getting to grips with risk will help travel managers (and all others across the organisation) make more empowered strategic decisions which will not just help with protecting the safety and security of their travelling personnel but will also help with building a far more resilient organisation in the future.