24 November 2009 
Chicago - Moving beyond simply tracking travelers, such companies as Hewitt Associates are managing the risk of employee travel on a proactive, rather than reactive basis, iJet Intelligent Risk Systems president D. Bruce McIndoe told the Corporate Travel Department Association meeting here last month.
Companies with proactive models, as defined in a
Travel Risk Management Maturing Model white paper issued by iJet and the National Business Travel Association Global Risk Management Committee in 2007, have policies and procedures, training, communication plans, data management, notification procedures and processes in place to assess, disclose, mitigate and monitor risk, as well as respond to any emergencies.
For example, Hewitt had a mature risk management program in place prior to the terrorist
attacks in Mumbai last November, McIndoe said as he presented a client case study. The global human resources outsourcer had 800 employees in two offices in the Navi Mumbai area. Hewitt also had "multiple travelers on the ground, including one in the Oberoi Trident Hotel."
As a result of executing its business continuity plan, Hewitt stood ready to transfer its call center operations, had a security risk management team in place in Asia-Pacific and immediately communicated status updates to travelers and employees via electronic messages.
But the Mumbai incident also helped the company identify areas for improvement. Despite the fact that Hewitt had a mandatory booking policy, "a number of passenger name records did not have hotel segments," McIndoe said. "Admins and employees would rely on local people to make hotel bookings," at local negotiated rates, "even though the TMC had the resources available" to reserve rooms for them.
Another reason for hotel booking exceptions, he added, was due to meetings and conferences. Learning from the incident, McIndoe said the company implemented a manual process to enter into the booking record the name of the hotel used for meetings and conferences. Hewitt also still relies on local expertise for hotel bookings, but asks for the hotel names and locally negotiated rates as it develops it's preferred hotel program.
Hewitt also learned that, in some instances, alerts sent continuously via email to travelers and others in the region were routed to administrative assistants, whose email addresses were in the booking records. In a new process, email addresses for all travelers are in each record, along with their admin, McIndoe said.
One of the critical components of a mature travel risk management program, McIndoe said, is feedback or continuous improvement to an existing program.
The first step of a travel risk management program typically involves a few ad hoc policies designed to respond to an incident in a "reactive mode." At the next level, a company would have basic travel risk management policies documented, but the primary focus would still be incident response. At the third level, a company would move into a proactive approach to manage risk with "consistent execution of travel risk management processes," McIndoe said. All of these levels could be accomplished within one department.
To advance to the last two levels in the maturity model, a company would need to work across departments. Within the "managed" stage, a company would collect and review metrics and have cross-organizational support. At the "optimized" level, a travel risk management program is integrated throughout an organization and involves not only policy and procedures, but training, notifications, data management and communications. Companies at this level also engage in risk assessment, disclosure, mitigation, monitoring and have a detailed response plan in place.
Risk Assessment
The white paper McIndoe presented included a self-assessment for companies to rank the maturity of their travel risk management programs. Results from 75 companies indicate that few consider their programs at the highest level of maturity, he said.
Of 10 key process areas, McIndoe said respondents ranked their performance in policy/procedures as best, followed by data management and risk disclosure and assessment. The lowest-ranked assessment was training. "You can write all the travel polices and practices you want, but if you don't train people, it's all for naught," he said.
Risk assessment and disclosure is an area of increasing importance, McIndoe added, in light of the H1N1 outbreak. "In India, where many companies are traveling, there is a very thin veneer of private hospital clinic capabilities. Companies rely on that infrastructure, but that veneer can quickly become overwhelmed," he warned, as he noted the lack of other options. "If there's a flare-up of activity in that region, why send travelers to the area? Why stick somebody in the heart of that?" Instead, a company could simply wait a few weeks until the outbreak and the risk of exposure subsides. He suggested that companies carefully follow such outbreaks as they are quickly changing around the world.
