Skip to main content
main content, press tab to continue

ISO31030:2021 Travel Risk Management

By Patrick Rogers and Rob Walker | May 14, 2024

An insight into the ISO 31030:2021, released in 2021, which provides guidelines for organisations developing travel risk management programmes.
Crisis Management
Geopolitical Risk


ISO 31030:2021, released on 15 January 2021, provides guidelines for organisations developing travel risk management (TRM) programmes to ensure the safety and security of their employees while travelling for work.

Employers have a legal obligation, often referred to as a ‘duty of care,’ to take reasonable steps to ensure the safety and well-being of their employees while they are travelling for work-related purposes. This duty extends to all aspects of travel, including transport, accommodation, and activity during the trip. Numerous legal cases have established employer liability in instances where they failed to discharge this duty.

As a result, employers must establish a policy and related procedures which take reasonable steps to educate, inform and support their employees when conducting travel. This includes:

  • Risk Assessment – Employers must conduct risk assessments to identify potential hazards and threats to which employees could be exposed as a result of an assignment. This includes assessing risks related not just to health, safety and security, but also the implications of a different legal or socio-cultural environment.
  • Planning and Preparation – Employers are responsible for developing comprehensive travel policies and procedures to mitigate identified risks. This may involve providing employees with awareness training, giving them access to necessary resources and support services, and developing appropriate emergency plans.
  • Communication – Employers must effectively communicate with employees about travel risks and provide them with relevant information and guidance to help them make informed decisions. This includes informing employees about potential dangers in specific destinations, how they should prepare, how they stay up-to-date, and to think through how they would respond to incidents.
  • Risk monitoring and review – Employers should monitor travel-related risks and review their TRM processes to ensure the policy remains effective and relevant, and compliance with legal requirements. This should involve seeking feedback from employees, analysing incident reports, and updating policies and procedures as needed.
  • Explanation of responsibilities and accountabilities for approving and monitoring all aspects of travel, reflecting health, safety and security factors, as well as financial and administrative costs.
  • Clear, consistent, proportionate and accessible policies and procedures, which set out expectations, and explain how an employee should prepare for and conduct travel on behalf of the employer, which reflect and reinforce company other relevant policies.
  • Provision for awareness, education and training appropriate to the individual, business objective and destinations.
  • Objective risk assessments which explain the potential threats or hazards which might affect an employee on assignment.
  • Provision for employees to receive accurate and timely risk information and advice, to enable them to adapt to changes to the risk environment.
  • Response protocols which explain what the employee should do if affected by an incident while travelling, including what support they might access and how to do so.
  • Means of effective and prompt communications to and from employees - including appropriate employee tracking, monitoring or check-in schedules, and mass communication during a significant event.
  • Continuous review of policies and procedures; of the services used to deliver the programme, including technology, transport, accommodation, intelligence and analysis, training and assistance providers; and of the risk environment.

Employers must comply with relevant laws, regulations, and industry standards related to travel safety and risk management. This includes complying with immigration laws, health and safety regulations, and data protection requirements, among others.

ISO31030 guidance: the value to business

Adopting the ISO31030 guidance provides a number of benefits to employers and employees and aligns with several business interests.

The immediate aim of a constructive travel risk management programme is to keep the employee safe - with the related and equally important aim of increasing the likelihood of achieving the trip’s objectives without disruption or additional cost, and reducing the employer’s exposure to legal challenge.

The guidance in ISO31030 helps companies fulfil their moral obligations to their staff: when asking them to travel somewhere on the business’s behalf, it is reasonable that the business provides staff with the means to do so safely. Moreover, employers are in a better position than individual employees to understand and evaluate risks, particularly over time: helping to manage risks while travelling ought to be as fundamental as providing them with a laptop.

A mature TRM programme can help demonstrate a company’s ‘values,’ showing they fulfil their obligations to their people. By considering each employee’s personal profile, for example by highlighting to them different legal or cultural norms which might pose a risk to them, it can help establish practical examples of DEI policy in action.

Additionally, if properly integrated with other core policies, such as travel and insurance, the programme can help companies avoid unnecessary costs: if TRM policy explains corporate-level insurance coverage or access to medical and security assistance, regional or local offices can avoid duplication of effort and additional costs.

There are also very clear legal responsibilities for businesses. Numerous cases have established that an employer has a legal as well as moral duty to take reasonable steps to ensure the safety of employees on assignment: they could face litigation in the event of an incident affecting an employee, and a significant fine. This could include failure to properly prepare an employee, such as not warning them of potential health or safety threats; the failure to support mitigation ahead of travel; the failure to make provision for support on the ground; or the failure to provide support to other affected employees or stakeholders after an incident.

Moreover, the ISO31030 provides clear guidance on how to develop and implement a framework of policy, procedures and supporting resources: there is now no excuse for not having a robust travel risk management programme.

Employer policy and procedures

A TRM programme establishes policy guidance and procedures to be followed by employees. A comprehensive risk-based programme informs other related policies and procedures, aiding consistency and proportionality. For example, travel policies often specify ‘preferred’ or ‘must use’ vendors, such as an airline or a major hotel chain, usually on cost grounds. However, your TRM policy should review the suitability of accommodation or transport types in all destinations, identify exceptions, and outline the appropriate approvals process.

Similarly, some companies try to reduce data roaming costs by encouraging employees to make maximum use of public wifi. This could create unnecessary vulnerabilities to company or personal data, as well as leaving employees incommunicado and vulnerable when moving between hot-spots. Again, a robust TRM policy will identify exceptions where additional cost is justified.

When travelling, people often prioritise convenience or familiarity. For example, when looking for accommodation, employees might opt for so-called shared economy services such as Airbnb, without thinking about the potential safety implications: again, a risk-based policy covering all aspects of the trip ensures employees find the most suitable places to stay.

Insurance and travel risk management

An insurance policy is an important component of your TRM programme: properly structured, it helps you manage the consequences, especially the financial impact, of disruption to your employees and business objectives. It does not in itself help you or your people understand threats or hazards, reduce the likelihood of them affecting your employees, or mitigate the non-financial impact of an event. Critically, an insurance policy alone does not cover your duty of care obligations outlined in ISO31030.

However, a constructive relationship with your insurer does bring a number of other benefits. It can help you understand the extent of your coverage, including access to third parties, including for malicious risks such as cyber crime, kidnap or activism. Your insurer can help you integrate those services properly.

Additionally, brokers will often have useful insight into relationships between insurers and assistance or specialist risk management service providers, as well as being able to recommend which are the most suitable providers for your company’s needs. They can also help highlight duplication, such as coverage for one type of event through two or more policies, or access to assistance services through existing policy cover.

Risk management and assistance services

As with an insurance policy, giving your employees access to a third-party provider during or after an incident is not a ‘magic bullet,’ and certainly does not in itself fulfil your duty of care obligations.

Global access programmes. Companies often outsource such activity to travel risk management companies, many of which offer a ‘one stop shop.’ While a prudent option for many, this requires informed engagement with potential providers if you are to ensure you have taken ‘reasonable’ steps to support your employees. A robust TRM programme will look beyond the sales pitch to understand the practical capabilities.

All service providers have strengths and limitations. Caveat emptor applies as much here as anywhere else, and assuming your provider’s services are adequate might not be a defence in court. The best risk services companies will provide a transparent account of the full range of their capabilities. A lack of transparency about specifics - the use of sub-contractors or its accreditation programme, for example – is a ‘red flag’ that their other capabilities might not be as robust as their marketing claims.

Additionally, having access to several programmes –one or more insurance policies backed up by a direct relationship with a travel risk service provider – might not give you more options, especially in a crisis, when demand for vehicles, accommodation, airline tickets and charter aircraft seats outstrips supply. Your assistance provider might be one of many competing for the services of a single local transport company, or for seats on someone else’s charter. Your options might simply be different routes to the same services, with long waits involved: it is better to know this advance than to find out during a crisis.

  • What are your capabilities in X country?
  • Do you have an in-country team? Do you outsource to a third party? Are they in-country, or regional based?
  • What are your criteria for accrediting a sub-contractor?
  • When did you last use them? When did you last visit them physically to accredit their services?
  • What lead times should we plan to? How long do you need to arrange ground transport / escort etc?
  • If you are managing a crisis remotely via third parties, where is your team based?
  • When did your security team last visit the country? When are they next visiting?
  • What are your criteria for putting your own team on the ground?
  • How many other clients might you be supporting in this country during a crisis?
  • What are your criteria for risk monitoring and alerting?
  • What are your primary information sources in country?
  • How often are your destination risk assessments updated?
  • Where are your analysts based? How often have they visited X country?

Risk monitoring and reporting. Risk service companies offering travel risk management services almost always include a risk monitoring service as part of a ‘global’ package. As with their other services, it is important to understand the capability behind the marketing pitch. Smaller regional-focused providers often have a better understanding of cultural nuance, as well as having their own ‘boots on the ground.’ It would be worthwhile for companies with an enduring interest in specific countries or regions to identify smaller, regionally based providers who can offer a more localised service, including greater insight into medical or security risks than can be gleaned from public information. (Such providers are likely also to be part of the network of the large global providers - and dealing with them directly is often more cost-effective.)


Building an effective TRM programme is essential to allow a company to fulfil its duty of care commitments, as well as its moral obligations, to its employees. ISO31030 contains extensive guidance to establish and maintain a set of robust policies and procedures, which are based on established risk management principles.

However, implementing a robust TRM programme requires additional important steps. It should involve constructive and transparent discussions with a range of providers, including an insurer and risk management providers. This should involve an objective appraisal of their capabilities, methodology and assumptions in the context of your potential exposure and risk appetite. This will help identify and close actual or potential gaps, and also avoid unnecessary duplication and costs. Investing time now to gain that clarity is likely to pay off before an incident or during a crisis.

Should you have any enquiries regarding how we can support you this area, please contact WTW’s in-house consulting practice, Alert:24, via the below contact details.


Head of Risk Advisory – Alert:24, Crisis Management

Senior Risk & Crisis Advisor, Alert:24


Robert Taylor
Head of Alert:24
email Email

Mark Allison
Head of Crisis Support
email Email

Related content tags, list of links Article Crisis Management Geopolitical Risk
Contact us