Interviews

Travel security risk findings

by Mark Rowe

Gian-Rico Luzzi, pictured, is an ex-South African policeman who served in a specialist Anti-Hijacking Unit. Since moving to Europe in 2000 he has accrued 15 years of private security industry experience. More recently he’s gone through the Loughborough University Postgraduate Masters Programme in Security Management. As in similar masters degrees elsewhere, students have to conduct research for their dissertation, the main piece of work of the degree, something to do with their own field of work. Hence Gian-Rico wrote ‘Flying by the Seat of their Pants. An Examination of Contemporary Travel Security Risk Management’. It’s led him to be invited to become a committee member working for the British Standards Institute and a finalist for the 2015 Imbert Prize. Here we ask him about what he’s found.

Gian-Rico, can you introduce the subject?

In the modern workplace highly influenced by globalisation and expansion, there are numerous strategic and/or operational reasons why personnel have to travel for business. So much so, it has become very common for employees to travel as part of their job. UK residents for example made 6.8 million trips abroad for business in 2014. These visits ranged from company directors attending board meetings to close protection operatives deploying to a war-torn area to provide a protective service.

There are several factors driving contemporary travel risk management. These include organisation’s ensuring that they are complying with duty of care principles, avoiding criminal liability, ensuring business continuity, preventing reputational damage and demonstrating positive corporate social responsibly. More specifically there are several types of risk related to business travel. These include: risk to personnel, to reputation, to data/equipment, legal risk, financial risk, and risk to productivity and trip effectiveness. The most important of these however being the health, safety and security risks to personnel.

And tell us something about yourself?

I’m the head of security for an organisation based in London, a member of The Security Institute, and a British Standards Institution (BSI) committee member (representing The Security Institute). I recently completed a master’s degree in security management at the School of Business and Economics at Loughborough University. My research involved an examination of business travel security risk management in both the strategic and operational contexts. It identified the need for, and recommended, the development of a new British Standard on the topic. These findings I presented to the BSI. They were favourably received and work is currently under way.

Tell us of the research?

A literature review of the topic discovered that much of the literature on the subject is related primarily to the topics of duty of care or corporate social responsibility. This essentially highlights that organisation’s focus mainly on the health, safety and environmental aspects of the practice, and not the security of personnel. Quantitative data collection involved surveying recognised business leaders, security and human resource professionals through various professional institutes and associations. Qualitative data collection involved the interviewing of representatives from several large multi-national organisation’s responsible for the function. This then allowed for cross-verification of results using triangulation to form conclusions and provide recommendations.

To play devil’s advocate…. why should the security manager worry about the business travel security of staff – they’re all adults and they do what they like anyway?! Is it even a matter at all for the security department?

There are two important aspects to consider here. The first being why, and then who? In the UK the Health and Safety at Work Act 1974 and the Management of Health and Safety at Work Regulations 1999 set out an employer’s responsibility toward the duty of care of its staff. This is to ensure the health, safety and welfare of their employees while they are at work. In the context of business travel risk management, this relates to business travellers, locals, expatriates, international assignees and their dependents. In the UK failures linked to the management of risks resulting in a death are now prosecuted under the Corporate Manslaughter and Corporate Homicide Act 2007. Hence the importance that security risks are treated to an acceptable level. Effective management of the associated risk also has other benefits. Travelling personnel who feel safe and secure will work more efficiently, increasing productivity, and the focus on corporate social responsibility can also result in an improved reputation which in turn can assist in attracting and retaining key personnel.

This now leads us on to the who? There are once again two aspects to consider here. The first being, personal versus organisational responsibility, and secondly the individual stakeholders involved within an organisation. In response to the first, survey respondents and interviewees indicated that business travel security risk management should be mainly the responsibility of the organisation with input sought from the traveller, closely followed by the view that the responsibility should be equally shared by the traveller and organisation.

Interestingly Professor Lisbeth Claus in a ‘Global Duty of Care’ study goes further, introducing the concept of the ‘duty of loyalty’, whereby employees must be seen to be pro-actively trying to improve their own safety and security by willingly complying with organisational guidelines, procedures and policy. So, very much a shared effort.

In terms of the stakeholders involved in the practice, this is very much dependant on the contextual influence of industry, operating location and an organisation’s size. For example gas or oil refinery workers travelling to and working in hostile areas are exposed to far more extreme risks, than a financial consultant travelling to meetings in a major western financial hub. Organisational size for example might cause a variation in stakeholder and departmental involvement, as a small or medium sized organisation might not have the dedicated departments of a large organisation, resulting in outsourcing of some or all of the function. Larger organisations also tend to have a higher risk awareness due to the fact that there are many more employees operating in numerous locations, being exposed to more and diverse risks. The research identified several functional groups having a significant role in the practice. These being senior management, security, human resource, risk management, operations, health and safety, and travel management departments.

Is it a matter for the security department? Most definitely yes. Studies have revealed that in context senior management and human resource personnel generally have lower risk awareness levels, lower risk perception levels in terms of threats, and low level ratings in terms of duty of care awareness. Security risk management, such as the focus of the topic, is a core component and sub-set of risk management encompassing security related risks and concerns. It differs to the more generic risk management framework model due to the fact that they focus more on probability and consequences and do not consider security concepts such as threat, vulnerability and criticality in uncertain and changing environments requiring specialist security knowledge.

Is it possible to generalise about what the risks are (crime-related such as mugging, or health-related such as people falling ill or getting run over) or are there just so many things that go wrong when staff are abroad?

No, you can’t generalise. The individual and organisation must be sure that the risk they think they are exposing themselves to, is indeed the risk that is being exposed, and that they do want to be exposed to it. The only way for this to be effectively done is through thorough risk exposure assessment, as part of risk management, to allow for an evaluation of the responses that are available, and to ascertain which of those responses would best suit the individual and organisation in context. Operationally risk assessment is required prior to every trip, as well as being part of a continuous monitoring function to ensure that all risks, safety and security related, are identified.

Should there be, and is it possible to have, a happy medium between stressing the threats and putting fear into travelling staff (which might backfire anyway); and not offering enough detail?

It is all about balance, based on assessment and budget. You aren’t going to routinely send employees on hostile environment training if they are only going to Paris for meetings. Likewise you wouldn’t just organise a hotel car if the meetings were taking place in a rural location in Nigeria. One of the problems in relation to the promulgation of the risks associated with business travel is risk perception. We know that in assessing probability it can be seen that a risk can be perceived in a number of ways. For example unknown risks are perceived as more frightening than normal, everyday risks. It is important for the correct perception of a risk that it is evaluated in a probabilistic context, and not just by focusing solely on the consequences, as the perception of the risk will influence the management of the risk. Operationally, promulgation of the risks requires the development of a travel security policy which highlights a specific risk owner, encompasses a compulsory pre-trip authorisation procedure, a compulsory booking procedure, a pre-trip advisory procedure and security-specific training, commensurate with the risk evaluation.

Are we getting better at business travel, as people travel more, and more widely, or does that make for dangerous complacency?

The research highlighted that the health and safety aspects of the practice are well researched, promulgated effectively and well managed. It is the security-related risks that are not generally being addressed appropriately, both academically and strategically. The easiest way to demonstrate this is by quoting a few results taken from the research survey.

How well do you consider your organisation plans, and provides, for personnel and executive protection in relation to any business travel?
Very well 35 percent
Adequately 45 percent
Poorly 18 percent
Don’t know 2 percent

Are you well aware of the legal responsibilities and requirements placed upon an employer to ensure the Duty of Care of its personnel?
Yes87 percent
No13 percent

Do you have a formal travel security policy (or similarly entitled) policy and associated procedures?
Yes61 percent
No34 percent
Don’t know5 percent

Does your business provide business travellers with a pre-trip advisory or briefing?
Yes67 percent
No33 percent

Does your business provide security specific training for its business travellers?
Yes42 percent
No58 percent

Does your organisation have a compulsory pre-trip authorisation procedure?
Yes64 percent
No29 percent
Don’t know7 per cent

Are business travellers actively tracked during travel?
Yes38 percent
No55 percent
Don’t know7 percent

Are business travellers supplied with important or updated security information during travel?
Yes57 percent
No35 percent
Don’t know8 percent

Are you aware that failures linked to the management of risks resulting in the death of personnel can lead to prosecution under the Corporate Manslaughter and Corporate Homicide Act 2007?
Yes75 percent
No25 percent

When considering that the survey respondents were recognised security and human resource professionals, or business leaders, from predominantly (72 percent) large organisations, operating predominantly (74 percent) in medium and high risk locations, it becomes all the more concerning. And these poor results are only the tip of the iceberg. Take a minute now to consider how most small and medium sized organisation’s would fair, considering that many of them do not have dedicated security personnel or departments.

Playing devil’s advocate again, your dissertation was titled ‘ Flying by the Seat of their Pants’ – but is there a case for doing that, as threats (like Ukraine) can blow up suddenly?

Frankly, no. Be it for a business meeting, short or long term assignment, the fundamental problem when travelling to, and working in, an unfamiliar location is that it gives rise to uncertainty and change. A failure in travel risk management can be disastrous for the travelling personnel, the business and its executives.

If there were one thing you could urge on the security manager dealing with business travel, what would it be?

If you don’t already have a comprehensive travel security risk management programme in place, approach senior management and obtain buy-in to create a travel risk management programme, by preparing a strong business case. If you don’t have the dedicated personnel and expertise, there are several large third party service providers who can adequately assist you with the provision of essential functions such as intelligence services, traveller tracking, emergency contact points. However the management of the programme and function will still need to be owned, managed, monitored and evaluated by an individual in-house.

How poorly are things generally being done, if you found security and HR professionals and business leaders highlighting poor results and practice?

Due to the growing prevalence of the practice and the increasing intensity and scrutiny of failures in travel risk management by government, legal entities and the media, which includes the advent of social media, one would assume that modern organisation’s would be paying significant attention to the security risk involved with business travel. On the contrary, the results of the research found that business travel security risk management is generally only at a ‘defined’ level in terms of maturity. The research recommends that to facilitate and progress the general maturity of business travel risk management to an optimised level, the design and development of a specific British Standard is required.

[email protected]

https://uk.linkedin.com/pub/gian-rico-luzzi-msc-msyl/21/a39/307

Related News

  • Interviews

    Manage when working remotely

    by Mark Rowe

    Working remotely? Manage and protect your identity, writes Steve Watts, co-founder of SecurEnvoy. Businesses are becoming increasingly concerned with the amount of…

  • Interviews

    The 12 red flags

    by Mark Rowe

    Steve Ginty, director, threat intelligence at the cyber threat intelligence firm RiskIQ goes through 12 red flags that an e-commerce site is…

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing