ISO 31030 & Managing Business Travel Risk

In this Article, Monica Kainja and Milli Richardson discuss the various factors TMCs and other Business Travel stakeholders should consider, especially in relation to ISO 31030.

As the world gears up for the end of the coronavirus pandemic, many people are keen to meet face-to-face once again. Businesses have started thinking about meeting clients in person after a year of zoom networking drinks.

This is why, now more than ever, businesses need to consider the risks relating to business travel and how these risks may be mitigated.

The International Standardisation Organisation (“ISO”), in consultation with the British Standards Institution (“BSI”) has attempted to tackle this issue head-on with the drafting of the ISO 31030 Travel Risk Management Standards, focused on business travel risks (the “Business Travel Standards”).

This note will assist you in understanding what the Business Travel Standards are, to whom they will apply and how they will change the landscape of business travel going forward.

What are the Business Travel Standards?

The ISO 31000 Risk Management Standards were published by the ISO in 2018 and were designed to assist businesses in assessing, planning for and mitigating day-to-day risks. Businesses are able to implement these standards into their strategies insofar as organisational resilience, IT, corporate governance, HR, compliance, quality, health and safety, business continuity, crisis management and security are concerned.

The ISO has gone a step further and has introduced the Business Travel Standards which are aimed, very narrowly, at travel for business. In a similar way as the ISO 31000, these standards are intended to be integrated into a business’ strategies, in order to plan for and mitigate risks as they relate to business travel. Business travel risks can be wide-ranging and may include health and safety risks to personnel. Failure to mitigate such risks could have dire knock-on effects for business, such as litigation and tarnishing of a business’ professional reputation.

Who do the Business Travel Standards Apply To?

The Business Travel Standards are currently in draft form and are intended to come into force later in 2021, although we don’t yet have confirmation as to exactly when this will be.

Once in force, the Business Travel Standards would apply to any business where travel is required. This could be travel by employees for various reasons and would apply to student travel too.

In particular, companies who specialise in business travel would need to pay special attention to the Business Travel Standards as they are likely to provide context and possibly content to contracts with travellers and suppliers.

What are the Business Travel Standards likely to say?

Though we cannot look into a crystal ball and extract from it excerpts of the forthcoming Business Travel Standards, we can look to previous BSI standards and guidance which provide predictive value as far as determining how the Business Travel Standards will shape up. Three such resources are the ISO 31000, the 2016 PAS 3001 Travelling for work standard, and ISO 45001 Occupational Health and Safety Management (together, “the Standards”). Each compels businesses to take appropriate steps to ensure employee security and safety. The Business Travel Standards complement the duties laid out in the Standards for situations where employees are travelling for business. Employers must ensure their employees’ safety whether in transit to, on arrival at a destination, or travelling from a destination.

The Business Travel Standards will require businesses to consider whether travel is appropriate for security, safety or health reasons, and will not simply leave businesses to determine their own travel risk appetite as they will set a universal standard to which they will be held to. The question at the forefront of each business will need to be: how can our employees travel safely?

Engaging in Risk Management

Based on our understanding of the Standards, we expect that the Business Travel Standards will set out clear duties relating to the proper conduct of risk assessments, and will require businesses to meaningfully engage in risk prevention or mitigation. Businesses will need to develop clear management processes which may look something like this:

  1. Identity the risks at the travel destination as well as the areas of transit;
  2. Consider the potential for such risks and certain events;
  3. Consider risk prevention, minimisation and mitigation;
  4. Communicate anticipated risks to travellers and the steps taken to minimise or mitigate them as well as what further safety and security precautions can be taken by them;
  5. Provide travellers with adequate risk response guidance such as medical or emergency response details and accessible services and assistance information;
  6. Provide travelling employees with assistance in the event of any incidents and procure their safe return; and
  7. Provide post travel feedback, reporting and evaluation mechanisms.

A Three Stage Process

The Business Travel Standards will likely require businesses to focus on three stages of travel, which should effectively result in the above seven points being addressed as each of the three stages are considered.

Before Travel

  1. Pre-travel reports which should provide information on travel itineraries and with enhanced information relating to particularly high risk destinations;
  2. Travel alerts which deal with specific and real time risks and updates, as well as predicted events, disruptions and threats; and
  3. Collating relevant information relating to the profiles of the travellers(s) which should address particular needs and vulnerabilities such as health issues.

During Travel

  1. Provision of tools and processes to enable employees to check-in at various points of the journey and on arrival. Employees should be provided with a point of contact (such as a line manager) to stay in regular contact with. Such person should have an up to date and detailed itinerary for the employee’s trip, and schedule regular check-ins. There should be a process for raising alarm if contact is broken unexpectedly;
  2. Provision of itinerary assistance, management or information points; and
  3. Emergency contact information.

After Travel

Post-travel feedback from employees including identifying any risks that are visible on the ground and identifying any post travel support employees may require.

In summary, it is expected that the Business Travel Standards will set out a structured approach to the development, implementation and review of risk identification and assessments, policy and programme development, and prevention and mitigation strategies. It is expected that they will provide sufficient information, and be general enough to allow businesses to create bespoke Travel Risk Management systems or to update such existing systems. Needless to say, businesses will likely need to form or develop close working relationships with travel providers (to the extent that they do not already) to enable business travel managers to assess the safety of such services and measure it against the Business Travel Standards, and to go some way in meeting the duty of care that employers must afford travelling employees.

How to Meet your Duty of Care under the Business Travel Standards

Businesses continue to have a duty of care to ensure employee safety, security and well-being whilst travelling for work (including whilst working in international posts). Duty of care refers to businesses’ legal obligations to act diligently to avoid (where possible) or reduce the risk of foreseeable harm to employees such as injury, ill health or death. Employers must establish and promote a culture which addresses the health and safety of their employees. This includes, without limit, the development of appropriate travel risk management approaches.

Travel businesses will need to quickly take steps to familiarise themselves with the situations and environments that their employees will be exposed to during travel. Whilst it is not possible to develop an exhaustive list of such risks, most businesses already have a good idea of what risks their employees are likely to encounter whilst travelling. Common risks involve crime ranging from the petty (e.g. theft) to the serious (e.g. kidnapping and ransom). Security risks such as terrorism or cybercrime should also be considered. Other risks like health and safety are also common, and may include infectious diseases and matters relating to poor local hygiene. Accidents and disruption risks increase in extreme weather, such as flooding, snow/ice or wildfires and serious accidents may follow from falls down steps or escalators and lifts malfunctioning.

Businesses will need to know their employees and should speak to them to identify any risks that are discrete to them due to pre-existing health issues etc. They will need to familiarise themselves with the travel processes and think about each part of a journey and what their employees are likely to be exposed to. They will need to identify the different risk profiles existing in what may be unfamiliar locations. Managing risks for travel to a country where the organisation has no local base requires more comprehensive controls than for locations where mitigations have already been established and risk profiles are well known. Businesses will have to have lines of intelligence, conduct in-depth analysis of their offerings and associated risks, and seek advice from appropriate risk management services and take appropriate implementation steps. Businesses should test the robustness of their systems for accessing and responding to risks including keeping up to date with travel warnings. They will need to anticipate and assess the potential for events and keep open communication with travellers and get to know their travel services suppliers.

Employers should be able to meet their duty of care by addressing the three stages described above and covering off the seven points that are also set out. The duty of care requirement should ensure that staff are transported safely to where they need to go and have safe comfortable accommodation for the duration of their business travel, and that they return home safely.

Conclusion

We anticipate that the Business Travel Standards will impose numerous new requirements for companies about business travel, although we are waiting for clarity on what exactly those requirements will be. It is important that companies involved in business travel begin considering their travel risks and how to minimise and mitigate the same. Travlaw intends to provide a follow up article updating the position once the Business Travel Standards have been finalised.

For more information on this issue please contact the author on monica@travlaw.co.uk, or call 01132 580033 to speak to any of the Travlaw Team.

Latest news

Data Protection Refresher

On Tuesday 27th July, Travlaw’s Commercial and Corporate Governance department led a refresher session to hear the latest on GDPR,…

Find out more

Hot Topics – Freedom!

Our latest session of Hot Topics saw Senior Partner Matt Gatenby and Senior Associates Nick Parkinson and Krystene Bousfield presenting…

Find out more

Selling into the USA , EU & The Post-Brexit UK

The Travlaw Team are joined by US Attorney, Jeff Ment of Ment Law. Jeff will take us through the rules…

Find out more