Introduction: Why Your Travel Risk Policy May No Longer Be Fit for Purpose
Corporate travel is back — but the world your employees are travelling into has fundamentally changed. The convergence of geopolitical volatility, climate disruption, escalating terrorism, and sophisticated cybercrime has created a travel risk environment that bears little resemblance to the world for which most corporate travel risk policies were designed.
For US organisations, this matters not just ethically but legally. Under OSHA’s General Duty Clause, every US employer is required to furnish employees with a place of employment free from recognised hazards likely to cause death or serious physical harm. Federal courts have consistently interpreted business travel as an extension of the workplace — meaning that if you send an employee into a high-risk environment without appropriate safeguards, OSHA can and does take action.
Yet despite these obligations, research consistently shows that large numbers of US organisations lack formal, comprehensive travel risk management frameworks. According to industry surveys, fewer than one in five travelling employees has been fully briefed on emergency contacts and procedures for their destination. The gap between legal obligation and operational practice is significant — and it represents a serious liability exposure for US employers.
1. What Is Corporate Duty of Care in Business Travel?
Duty of care in the context of business travel is the legal and moral obligation of an employer to protect employees from foreseeable harm while they are travelling for work — from departure to return. This obligation encompasses physical safety, mental health and wellbeing, security, and access to medical support.
In the United States, the primary legal foundation for travel duty of care is the OSHA General Duty Clause (Section 5(a)(1) of the Occupational Safety and Health Act of 1970), which requires employers to provide a place of employment free from recognised hazards. Case law has extended this obligation to business travel contexts, particularly where the employer has control over travel decisions, itineraries, and accommodation choices.
Beyond OSHA, US employers face exposure under common law negligence principles, employment contracts, and increasingly, corporate governance standards that require boards to oversee material risks to employees. For organisations listed on US stock exchanges, the SEC’s evolving human capital disclosure requirements create additional pressure to demonstrate robust employee safety frameworks.
| ISO 31030: ISO 31030:2021 — Travel Risk Management Guidance for Organisations — is the international standard for corporate travel risk management. Although not mandatory for US employers, it is increasingly used by US and international courts as a benchmark for assessing whether an employer’s duty of care was reasonable. Aligning your travel risk programme with ISO 31030 provides both a structured framework and a powerful legal defence. |
2. What a Comprehensive Travel Risk Management Policy Must Include
2.1 Governance and Ownership
The first question a travel risk policy must answer is: who owns travel risk in your organisation? Effective travel risk management requires clear governance — a named executive sponsor, a cross-functional travel risk committee (involving HR, legal, finance, and security), and clear accountability for policy development, implementation, and review.
Without clear ownership, travel risk policies become documents that no one is accountable for maintaining and no one is empowered to enforce. In many US organisations, travel risk sits in an ambiguous space between HR, legal, and procurement — and as a result, it falls through the cracks.
2.2 Pre-Travel Risk Assessment
Every business trip to a destination rated above a baseline risk level should be subject to a formal pre-travel risk assessment. The assessment should evaluate the current security situation at the destination using up-to-date intelligence from the US State Department, specialist travel security intelligence providers, and your own travel risk management partner.
The assessment should consider: political stability and the risk of civil unrest; crime levels, including violent crime and kidnapping; terrorism threat level; health risks and medical infrastructure quality; natural disaster risk; infrastructure reliability including transportation, accommodation, and communications; and specific risks relevant to the traveller’s profile — their nationality, gender, role, and visibility.
2.3 Traveller Tracking and Communication
One of the most fundamental duty of care requirements is knowing where your travelling employees are and being able to communicate with them in an emergency. This requires integration between your booking tools, traveller tracking technology, and your emergency response capability. Research shows that 22% of travelling employees have never been briefed on emergency contacts — a gap that represents a direct organisational liability.
Your policy should mandate check-in protocols at defined intervals for all travel above a specified risk threshold, and should establish clear escalation procedures and emergency communication channels for when an employee cannot be reached.
2.4 Pre-Travel Briefings and Training
Employees travelling to elevated-risk destinations should receive a destination-specific pre-travel briefing covering the current security environment, accommodation and transportation security standards, local laws and customs that could create legal risk, digital security protocols for devices used on the trip, and emergency procedures including contact details for your travel risk management provider’s 24/7 operations centre.
For employees travelling to high-risk or hostile environments — including journalists, aid workers, energy sector employees, and executives visiting conflict-adjacent markets — formal Hostile Environment and First Aid Training (HEFAT) or equivalent security awareness training is a best-practice requirement.
2.5 Emergency Response and Evacuation Planning
Your travel risk policy must specify what happens when something goes wrong. This requires: a 24/7 emergency response contact (either in-house or provided by your travel risk management partner); clear protocols for medical emergencies, security incidents, and natural disasters; an emergency evacuation capability for employees in environments where commercial exit routes may be unavailable; and post-incident support including psychological first aid for employees affected by traumatic events during travel.
3. Common Policy Gaps That Create Liability
- No policy at all: A surprising number of US SMEs and mid-market companies have no formal travel risk policy. In the absence of a policy, courts will assess the employer’s response to a travel incident against the standard of a reasonable employer — which, increasingly, means an employer with a formal ISO 31030-aligned framework.
- Outdated policies: Policies developed before 2020 are likely to lack adequate provisions for cyber threats, remote worker travel risks, mental health obligations, and the current geopolitical environment.
- No traveller tracking: Without a system for tracking traveller locations in real time, the employer cannot discharge their communication and emergency response obligations.
- No LGBTQ+ and gender-specific provisions: Sixty countries criminalise same-sex relationships. Many destinations present specific elevated risks for women travelling alone. A one-size-fits-all policy fails these employees and creates legal exposure.
- No high-risk destination approval process: Without a formal approval process for travel to elevated-risk destinations, organisations create the conditions for employees to travel into genuinely dangerous environments without appropriate security measures.
4. Building the Policy: A Practical Framework
The following framework, aligned with ISO 31030, provides US organisations with the structure for a comprehensive travel risk management policy:
- Step 1 — Risk rating system: Develop a destination risk rating system using the State Department’s four-tier advisory system as a baseline, supplemented by specialist intelligence. Define required actions at each risk level.
- Step 2 — Pre-travel approval process: Establish mandatory approval requirements for travel to Level 3 and Level 4 destinations. Define who approves, what information is required, and what security measures must be in place before approval is granted.
- Step 3 — Traveller profile assessment: Assess individual traveller risk factors including nationality, gender, role, visibility, and health. Ensure the security package is tailored to the individual, not just the destination.
- Step 4 — Security briefings: Develop destination-specific security briefing templates. Integrate briefings into the pre-travel approval workflow so they cannot be bypassed.
- Step 5 — Tracking and communication: Deploy traveller tracking technology and define check-in requirements. Integrate with your emergency response provider’s 24/7 operations centre.
- Step 6 — Emergency response: Define and test your emergency response procedures. Ensure 24/7 access to a capable travel risk management provider for medical, security, and evacuation support.
- Step 7 — Policy review: Commit to an annual policy review cycle, with triggered reviews following significant changes in the global threat environment or any serious travel incident involving your employees.
Conclusion: The Cost of Inaction Is Greater Than the Cost of Protection
The business case for investing in a robust travel risk management policy is straightforward: the cost of a serious travel security incident — in human, legal, financial, and reputational terms — is vastly greater than the cost of the prevention measures that could have avoided it. For US organisations with OSHA obligations, the cost of non-compliance with duty of care requirements adds a further dimension of liability that responsible boards and HR directors cannot ignore.
Neptune P2P Group’s travel risk management in USA supports organisations in building, reviewing, and operating travel risk programmes that are compliant, effective, and calibrated to the realities of today’s threat environment. From policy development and HEFAT training to 24/7 emergency response and on-the-ground security support, we provide the full spectrum of capability required to protect your people wherever they travel.
About Neptune P2P Group
Neptune P2P Group is a global security risk solutions company founded in 2009 and owned by former British and French Special Forces personnel. With over 8,500 completed security tasks across the AMEA region and a 100% success record for anti-piracy operations, Neptune P2P Group delivers maritime security services, ports and terminal security, protective security, maritime security training, and travel risk management to shipping companies, port operators, corporations, and governments worldwide.
