ISO 31030 & Managing Business Travel Risk

In this Article, Monica Kainja and Milli Richardson discuss the various
factors TMCs and other Business Travel stakeholders should consider,
especially in relation to ISO 31030.

As the world gears up for the end of the coronavirus pandemic, many people are keen to
meet face-to-face once again. Businesses have started thinking about meeting clients in
person after a year of zoom networking drinks.

This is why, now more than ever, businesses need to consider the risks relating to
business travel and how these risks may be mitigated.

The International Standardisation Organisation (“ISO”), in consultation with the British

Standards Institution (“BSI”) has attempted to tackle this issue head-on with the drafting
of the ISO 31030 Travel Risk Management Standards, focused on business travel risks
(the “Business Travel Standards”).

This note will assist you in understanding what the Business Travel Standards are, to
whom they will apply and how they will change the landscape of business travel going
forward.

What are the Business Travel Standards?

The ISO 31000 Risk Management Standards were published by the ISO in 2018 and were
designed to assist businesses in assessing, planning for and mitigating day-to-day risks.
Businesses are able to implement these standards into their strategies insofar as
organisational resilience, IT, corporate governance, HR, compliance, quality, health and
safety, business continuity, crisis management and security are concerned.

The ISO has gone a step further and has introduced the Business Travel Standards which
are aimed, very narrowly, at travel for business. In a similar way as the ISO 31000, these
standards are intended to be integrated into a business’ strategies, in order to plan for
and mitigate risks as they relate to business travel. Business travel risks can be wide-
ranging and may include health and safety risks to personnel. Failure to mitigate such
risks could have dire knock-on effects for business, such as litigation and tarnishing of a
business’ professional reputation.

Who do the Business Travel Standards Apply To?

The Business Travel Standards are currently in draft form and are intended to come into
force later in 2021, although we don’t yet have confirmation as to exactly when this will
be.

Once in force, the Business Travel Standards would apply to any business where travel is
required. This could be travel by employees for various reasons and would apply to
student travel too.

In particular, companies who specialise in business travel would need to pay special
attention to the Business Travel Standards as they are likely to provide context and
possibly content to contracts with travellers and suppliers.
What are the Business Travel Standards likely to say?

Though we cannot look into a crystal ball and extract from it excerpts of the forthcoming
Business Travel Standards, we can look to previous BSI standards and guidance which
provide predictive value as far as determining how the Business Travel Standards will
shape up. Three such resources are the ISO 31000, the 2016 PAS 3001 Travelling for
work standard, and ISO 45001 Occupational Health and Safety Management (together,
“the Standards”). Each compels businesses to take appropriate steps to ensure
employee security and safety. The Business Travel Standards complement the duties laid
out in the Standards for situations where employees are travelling for business.
Employers must ensure their employees’ safety whether in transit to, on arrival at a
destination, or travelling from a destination.

The Business Travel Standards will require businesses to consider whether travel is
appropriate for security, safety or health reasons, and will not simply leave businesses to
determine their own travel risk appetite as they will set a universal standard to which they
will be held to. The question at the forefront of each business will need to be: how can our
employees travel safely?

Engaging in Risk Management

Based on our understanding of the Standards, we expect that the Business Travel
Standards will set out clear duties relating to the proper conduct of risk assessments, and
will require businesses to meaningfully engage in risk prevention or mitigation.
Businesses will need to develop clear management processes which may look something
like this:

1. Identity the risks at the travel destination as well as the areas of transit;
2. Consider the potential for such risks and certain events;
3. Consider risk prevention, minimisation and mitigation;
4. Communicate anticipated risks to travellers and the steps taken to minimise or
mitigate them as well as what further safety and security precautions can be taken
by them;
5. Provide travellers with adequate risk response guidance such as medical or
emergency response details and accessible services and assistance information;
6. Provide travelling employees with assistance in the event of any incidents and
procure their safe return; and
7. Provide post travel feedback, reporting and evaluation mechanisms.

A Three Stage Process

The Business Travel Standards will likely require businesses to focus on three stages of
travel, which should effectively result in the above seven points being addressed as each
of the three stages are considered.

Before Travel

1. Pre-travel reports which should provide information on travel itineraries and with
enhanced information relating to particularly high risk destinations;
2. Travel alerts which deal with specific and real time risks and updates, as well as
predicted events, disruptions and threats; and
3. Collating relevant information relating to the profiles of the travellers(s) which
should address particular needs and vulnerabilities such as health issues.
During Travel

1. Provision of tools and processes to enable employees to check-in at various points

of the journey and on arrival. Employees should be provided with a point of contact
(such as a line manager) to stay in regular contact with. Such person should have
an up to date and detailed itinerary for the employee’s trip, and schedule regular
check-ins. There should be a process for raising alarm if contact is broken
unexpectedly;
2. Provision of itinerary assistance, management or information points; and
3. Emergency contact information.

After Travel

Post-travel feedback from employees including identifying any risks that are visible on the
ground and identifying any post travel support employees may require.

In summary, it is expected that the Business Travel Standards will set out a structured
approach to the development, implementation and review of risk identification and
assessments, policy and programme development, and prevention and mitigation
strategies. It is expected that they will provide sufficient information, and be general
enough to allow businesses to create bespoke Travel Risk Management systems or to
update such existing systems. Needless to say, businesses will likely need to form or
develop close working relationships with travel providers (to the extent that they do not
already) to enable business travel managers to assess the safety of such services and
measure it against the Business Travel Standards, and to go some way in meeting the
duty of care that employers must afford travelling employees.

How to Meet your Duty of Care under the Business Travel Standards

Businesses continue to have a duty of care to ensure employee safety, security and well-
being whilst travelling for work (including whilst working in international posts). Duty of
care refers to businesses’ legal obligations to act diligently to avoid (where possible) or
reduce the risk of foreseeable harm to employees such as injury, ill health or death.
Employers must establish and promote a culture which addresses the health and safety of
their employees. This includes, without limit, the development of appropriate travel risk
management approaches.

Travel businesses will need to quickly take steps to familiarise themselves with the
situations and environments that their employees will be exposed to during travel. Whilst
it is not possible to develop an exhaustive list of such risks, most businesses already
have a good idea of what risks their employees are likely to encounter whilst travelling.
Common risks involve crime ranging from the petty (e.g. theft) to the serious (e.g.
kidnapping and ransom). Security risks such as terrorism or cybercrime should also be
considered. Other risks like health and safety are also common, and may include
infectious diseases and matters relating to poor local hygiene. Accidents and disruption
risks increase in extreme weather, such as flooding, snow/ice or wildfires and serious
accidents may follow from falls down steps or escalators and lifts malfunctioning.

Businesses will need to know their employees and should speak to them to identify any
risks that are discrete to them due to pre-existing health issues etc. They will need to
familiarise themselves with the travel processes and think about each part of a journey
and what their employees are likely to be exposed to. They will need to identify the
different risk profiles existing in what may be unfamiliar locations. Managing risks for
travel to a country where the organisation has no local base requires more
comprehensive controls than for locations where mitigations have already been
established and risk profiles are well known. Businesses will have to have lines of
intelligence, conduct in-depth analysis of their offerings and associated risks, and seek
advice from appropriate risk management services and take appropriate implementation
steps. Businesses should test the robustness of their systems for accessing and
responding to risks including keeping up to date with travel warnings. They will need to
anticipate and assess the potential for events and keep open communication with
travellers and get to know their travel services suppliers.

Employers should be able to meet their duty of care by addressing the three stages
described above and covering off the seven points that are also set out. The duty of care
requirement should ensure that staff are transported safely to where they need to go and
have safe comfortable accommodation for the duration of their business travel, and that
they return home safely.

Conclusion

We anticipate that the Business Travel Standards will impose numerous new
requirements for companies about business travel, although we are waiting for clarity on
what exactly those requirements will be. It is important that companies involved in
business travel begin considering their travel risks and how to minimise and mitigate the
same. Travlaw intends to provide a follow up article updating the position once the
Business Travel Standards have been finalised.

For more information on this issue please contact the author

on monica@travlaw.co.uk , or call 01132 580033 to speak to any of the Travlaw
Team.