GETTING PERSONAL

Travel and HR managers are no strangers to risk assessments. Whether performed in-house or left to a TMC or security advisor, there is generally some form of evaluation of whether a traveller could be put in danger when taking a business trip. But this is usually assessed on the location and the current environmental or geopolitical factors affecting that destination such as natural disasters or military coups.

The Covid-19 pandemic has highlighted a number of areas in which corporate travel management can change for the better, and the safety and security of employees has risen to the top as a high priority for many companies as travel returns. With so many new factors creating potential hazards for travellers, how can businesses assess the true risk for each individual employee? One idea mooted in recent months is highly personalised risk profiles whereby travelers can disclose details about themselves, such as medical conditions, race, religion, sexual preference and other factors that might affect their level of risk depending on the destination.

Some companies may already be putting together personal risk profiles for employees under a different guise and for a different purpose, according to Bruce McIndoe, president of McIndoe Risk Advisory LLC.

"The concept has been around for a while," said McIndoe. "A lot of companies call it 'insider threat' but I prefer to call it 'insider risk'. What companies do is collect data on an employee's online activity or the types of communication they're having. They will then create a score that shows the potential for an individual to be a higher risk than anyone else. The people that bubble to the top as the highest risk will get a lot more attention from security managers to make sure they're not conducting fraud or creating other issues that could be detrimental to the organisation.

"It's been a long-term practice and I think insider risk teams are very familiar with the challenges of collecting that amount of data on an individual in terms of security, privacy and civil liberties. They've navigated those waters for years.

"What we're talking about when it comes to travel is looking at the risk to the person rather than the risk of the person to the organisation, but it can use a lot of the same technology and approach."

Rather than looking at the broader risks of a destination, McIndoe said companies could be paying attention to specific risk factors of the individual travelling.

"If I'm of a certain ethnic background and practice a particular faith, my risk profile, even within my own country, might be higher in some locations than someone with different attributes."

It sounds like good advice. After all, companies have had to navigate personal risk factors for female travelers, LGBTQ+ employees and disabled workers for years. But do employers risk claims of discrimination if they ask for details such as a person's race or religious beliefs? McIndoe believes it's all about the terminology involved.

"When I talk to companies on this topic I try to couch it in the term of 'vulnerability' rather than 'risk'. What you're really doing is creating a vulnerability profile - these are the personal factors that could, depending on where I'm going, increase my individual risk."

McIndoe clarified: "In the current pandemic, if I'm immunocompromised and I come into contact with Covid-19, I'm at higher risk of becoming infected and seriously ill than a healthy 18-year-old. Even looking at personal factors... being gay is not a risk in itself, but it is a vulnerability if I'm in an environment with anti-gay sentiments. It's about identifying vulnerabilities in threat environments, so if there's a threat but I have no vulnerabilities, then the risk is lower for me. It's a different interpretation of the same thing."

But Philip Stewart, founder and director of intelligence at Tapis Intelligence, said he worries companies might become too focused on small details. "Obviously you have to manage the risk of everybody individually and consider their personal risk as much as possible, but if a profile showed that an employee identifies as LGBT and they're going to the Middle East, but a colleague is straight and going on the same trip, would they get different advice because their risks are different? Would the travel manager actively reach out to the LGBT person but not the other? I think you'd be treading on dodgy ground if you started doing that.

"Every traveller should get information about all of the risk factors of a destination so they can come forward if they have any concerns or want to know more. Employees should be able to make informed decisions about their personal level of risk. I'm not sure it should be the company making those decisions."

Looking at the topic in another way, risk profiles could have some advantage when it comes to identifying medical vulnerabilities. Dr Luke Kane, medical officer at Healix International, said the pandemic has highlighted the need for businesses to have open and honest discussions with their employees about their health.

Dr Kane said: "I think there has to be a culture of trust within the organisation whereby employees feel comfortable disclosing medical conditions that might put them at greater risk, and they should feel confident that the information will be safe and not used against them. Companies need to harbour an environment of open communication, and employees should feel able to raise their hand and speak up if they feel uncomfortable about the questions being asked."

However, harvesting this information creates a tricky situation for companies. Asking employees about their religious beliefs, sexual preferences and health status might raise concerns about data protection, particularly as some of these attributes are considered highly confidential. With the rise of social media has come a growing awareness among everyday people about the kind of information that can get into the wrong hands and the effect that can have on individuals.

There are also details employees might not wish to disclose to their employer, such as a woman in early pregnancy who wants to wait to inform her company in order to avoid potential discrimination because she will require maternity leave.

McIndoe believes one way to effectively manage the data and avoid uneasiness for employees is to put it in their own hands so they can then decide what information to share and when. "My recommendation is for companies to provide risk information or even a tool for people to run their own self-assessment without storing data and divulging that data to the company. They can fill out a form that doesn't store the data and at the end they get a personalised recommendation based on their answers."

But Dr Kane sees the issue differently. "I think that if a company has made the decision to conduct personal risk calculations, they should be willing to collect and protect that data rather than leaving it to the discretion of the employee. If a person doesn't want to share that information, that's their decision, but if a firm has committed to operating profiles they need to be in charge of managing the data."

Dr Kane also believes companies risk collecting too much data on their employees. "Through my work with the UK's National Health Service I understand the basics of the General Data Protection Regulation (GDPR) and I know that companies need to tread carefully. There have to be robust protections in place and employers should only ask for the information they deem to be essential for conducting risk assessments. Again, employees need to feel safe speaking up if they feel they're being asked too many questions."

Tapis Intelligence's Stewart said collecting such data could become too resource-heavy for some companies. "I think it's potentially a waste of time because it would be quite labour intensive to maintain that data and I'm not sure how much benefit the profiles could offer. It's an interesting concept, but how would it be managed? It would be very time-consuming to have either the employee or a manager make sure that each profile is kept up to date.

"Risk management should be an enabler of business travel. It should open doors and allow people to operate in these new and challenging environments. If personal risk profiles or questionnaires add another layer of bureaucracy, I think it would be very limiting for a company's travel programme."

There could also be regional differences in how employees - and governments - view the practice of personal risk profiles, particularly when it comes to disclosing certain health information.

In England, Scotland and Wales, employers are subject to laws and regulations under the Equality and Human Rights Commission, which guarantee a person's right to a private life. One such regulation that is of particular focus right now is the fact that companies cannot require employees to disclose their vaccination status, though with current country-by-country restrictions in place, a worker would obviously have to divulge this information if it means they cannot travel to a particular destination.

That stance differs from those taken in the US, where government contractors are required to be vaccinated against coronavirus and several airlines have instituted vaccine mandates. Some companies have also introduced business travel bans for unvaccinated US employees and those unwilling to disclose their status.

Dr Kane believes that even in the US where regulations around collecting health data from employees are less clearly defined, there will be legal challenges to such mandates. "If you deny a person the ability to travel for work and all the benefits that come with it, I think you risk stepping into the realms of discrimination," he said.

Whether companies decide to keep personal risk profiles stored on a database or assess trips on an individual basis, what is clear is that managing traveller risk has become more important than ever.