Five Best Practices for Travel and Security Managers.
“There’s a new conventional wisdom in town: wherever risk management lives within the company structure, travel management and security both should have a seat at the table.” — Business Travel News
If you attended our April presentations at LA BTA, LA BTN, or ACTE in NYC, you may remember a key theme we see from our customers (also called out in the article below from BTN): successful security and travel managers coordinate extensively — before, during, and after a crisis.
And here are our top five takeaways from the article based on our experience:
1. Whether their title is “travel manager”, “security manager” or otherwise — strong risk managers seek to overcome the pitfalls of silo’d information.
2. Strong risk managers address potential gaps in technical data flow — both within their firm and between their firm and their vendor.
3. Good travel policies and itinerary data flows are critical — but insufficient on their own.
4. Severe incidents like the attacks in London drive senior executives to de-silo their processes. Strong travel and security managers take action before severe incidents happen.
5. Many travel teams are small — and may be comprised of a single person covering multiple roles. Look to use automation and business rules to alert you — and your employees — only when needed.
Below, we dive deeper with some tactical tips.
Strong risk managers — whether their title is “travel manager,” “security manager” or otherwise — seek to overcome the pitfalls of silo’d information.
Deep dive and tactical tips:
Travel data and management (by travel manager and software integrations) are essential components for thorough risk management.During an incident, communication should be coordinated through a shared messaging framework for travel, security and HR leadership.Travel managers bring important skill sets, knowledge, and vendor relationships to the risk management conversation.Consider how the same “de-silo” principles below may apply to other aspects of risk — like supply chain management. (We’ll dive deeper here in the future — but if a security incident is affecting people, there’s a decent chance the incident has also affected your firm’s supply chain.)
Two Harvard professors wrote about the problem of silo’d information in the wake of the financial crisis and BP oil spill in 2012. Their suggested framework for risk management is an excellent read for any risk manager, and their comments on the dangers of silos are particularly apt here:
“A cognitive-behavioral trap awaits risk managers. Because many strategy risks and some external risks are quite predictable — even familiar — companies tend to label and compartmentalize them, especially along business function lines. Banks often manage what they label “credit risk,” “market risk,” and “operational risk” in separate groups. Other companies compartmentalize the management of “brand risk,” “reputation risk,” “supply chain risk,” “human resources risk,” “IT risk,” and “financial risk.
Such organizational silos spread both information and responsibility for effective risk management. But this inhibits discussion of how different risks interact.Good risk discussions must be not only confrontational but also integrative. Businesses can be derailed by a combination of small events that reinforce one another in unanticipated ways.”
They are correct: a single security incident — like an attack on an airline — can disrupt travel, invoke duty of care obligations, diminish sales in that particular geography, and disrupt supply chains. These harms may in turn exacerbate each other. Disrupted supply chains can disrupt revenue, and so on.
In support of travel management and security management coming together, Regeneron’s Cindy Shumate describes the need for travel to have a seat at the risk management table:
“When I got here a year ago, there was a small group, which consisted of the head of global security and then two people from HR, working with our risk provider. They thought they had integrated completely with a [passenger name record] data transfer, but it just wasn’t connected with the travel aspect; the two messages were disconnected.
All of a sudden, here I come. I’ve worked very closely with two different travel risk providers [when working at Estee Lauder and Princeton]. [We now provide] a very integrated message.”
Among other benefits, when travel, security, and HR work together, messaging to employees is aligned. If not, Misys’ Mauro Ruggiero noted: “You get mixed messages going back and forth to the travelers.”
2. Strong risk managers address potential gaps in technical data flow — both within their firm and between their firm and their vendors’ systems.
Deep dive and tactical tips:
- Ensure your emergency management process integrates flight itinerary data from your TMC — as well as contact data from your HR contact database.
- Many TMCs will automatically update traveler profiles from your HR database, but if not, your risk management vendor should do this for you.
- Periodically review your contact data to ensure that, in an emergency, an employee can actually be contacted.
- Your vendors should provide solutions for improving the quality of your contact data. If they’re not concerned about data quality, they’re not putting themselves in your shoes.
Cindy Shumate from Regeron addressed the issue of data quality in the BTN article:
“Interestingly, on March 22 during the London attacks, when we had a need to turn to our [risk management] provider, they told us that out of 625 PNRs that had been transferred from our TMC into their system, 621 were lacking email addresses and cell phones.”
Think about that… 99% of Passenger Name Records (PNRs) were missing basic contact information during a severe incident. Here’s where HR can help: most HR databases have much better contact information than the TMC’s PNR.
That said, HR databases — as they sit today — are typically not the full-stop solution for finding employee contact information. In fact, in running emergency mass notification drills with our clients, at Stabilitas we’ve often found that HR databases can have 50% — or more — incorrect or missing contact fields.
Good travel and risk management vendors can help you solve this problem.
3. Good policies and itinerary data flows are critical — but insufficient on their own.
In the BTN article, AIG’s Dan Gallagher notes the value of AIG’s travel policy in helping to avoid dangerous areas — and also mentions the challenges of locating people on the ground in London during the March 22 attack.
At Stabilitas, we recommend emergency management teams confront information gaps head on, and use processes and technology to address them.
For us, travel itinerary data forms an important component of locating an employee during a crisis — or knowing if an employee is at risk in the first place. But like a one-legged stool — travel itinerary data as a means to locate an employee is insufficient by itself.
Tactical tips on addressing information gaps:
4. Severe incidents like the attacks in London drive senior executives to de-silo their processes; Strong travel and security managers take action before severe incidents happen.
Deep dive and tactical tips:
- Strong risk management teams recognize that employees may be at risk — and not just their travelers.
- For more reading on the data mentioned above, please see here from the Washington Post, or here from the NYTimes.
At Denver’s GBTA in 2016, we spoke on the rise of terror in Western Countries — the attacks in Paris, Brussels, San Bernardino, Orlando, Nice, and London to name a few.
These incidents are changing our perception — and our employees’ perception — of a “safe” area. A “traveler-only” lens misses the opportunity to provide the benefit of care for all employees.
5. Many travel teams are small — and may be comprised of a single person covering multiple roles. Look to use automation and business rules to alert you — and your employees —but only when needed.
Deep dive and tactical tips:
- Automating processes and defining procedures in advance can help.
- Ensure your risk management vendor can alert you — or the employee — only when necessary.
- Use business rules (like “2km distance to facility or person” and “high severity” only) to pre-configure when alerts should be sent. This ensures that recipients are not overly-alerted. When a real incident occurs, you’ll want to ensure employees take the alert seriously.
Small teams — or even individuals wearing many hats — often feel overwhelmed when supporting Duty of Care. This was a common theme in the BTN article. One of the most common themes of frustration is “over-alerting” — receiving alerts that aren’t useful. This is especially challenging for small teams with limited time.
This article is meant to give some quick thoughts on reasons and methods for collaboration between security and travel teams. We’d love your feedback. Send us a note at “firstname.lastname@example.org” and let us know your take on collaboration.
Stabilitas (www.stabilitas.io) helps companies keep their employees safe. Stabilitas uses Artificial Intelligence and human analysts to detect security incidents that affect a firm’s people, facilities, and other assets. Stabilitas automates incident alerts, providing faster notifications and warnings. The Stabilitas platform enables a security team to then send out mass notifications to thousands of employees via the Stabilitas app, SMS (text), voice call, or emails. Customer’s employees can view incidents on their smartphones. Stabilitas’ partnership with Troovo itinerary integration makes Stabilitas an all-in-one tool for GSOCs, security managers, and travel managers concerned about Duty of Care.