​

WHEN EMPLOYEES TRAVEL, they face a range of risks—from the common pickpocket to the rare terrorist attack. For companies, the risk is doubled. Not only does management have to worry about harm or loss of life coming to a colleague, with the attendant personal and professional ramifications, but decision makers also expose their firms to liability if an employee is hurt or killed abroad. To address these issues, companies need to assess the threats and have a program that gives employees the security training and support they need to mitigate the risks.

Top Concerns

Terrorism and civil unrest were listed as the top concern by 44 percent of corporate security and risk professionals responding to a poll conducted jointly by International SOS and Control Risks, followed by natural disasters, petty theft and crime, and kidnap and ransom.

An analysis of a decade’s worth of jihadist communications shows that companies are right to worry about terrorist attacks. The study, conducted by Dr. Gabriel Weimann, a professor of communications at Haifa University in Israel and a senior advisor to Bethesda, Maryland’s SITE Intelligence Group, found that al Qaeda and its jihadist sympathizers increasingly choose private business targets that cause economic harm to the West, especially the United States. The primary targets of this “econo-jihad,” says Weimann, are “oil facilities, infrastructure, transportation, tourism, and financial institutions.” Lashkar e-Taiba’s terrorist assault on Mumbai was one recent example.

The biggest problems arise when employees travel to relatively stable but high-risk countries where business travelers can be lulled into a false sense of comfort and security. In this context, security professionals mention countries like Indonesia, Russia, and Saudi Arabia while alluding to larger regions like the Middle East and North Africa. More surprising is that they also name Australia and Canada as risky locations.

While Australia has not seen an attack on its soil, the country’s strong support for the U.S. fight against al Qaeda made its citizens targets abroad in the 2002 Bali bombings. And Chris Heffelfinger, a terrorism analyst for U.S. security consulting firm iJet, believes jihadists could strike Down Under soon.

In addition to its support for the United States, Australia, like the United Kingdom, has a large but poorly integrated Muslim immigrant population. “That’s a place where you have actual, physical radicalization taking place in very segregated, almost ghettoized communities,” Heffelfinger notes. The threat is more than theoretical. Australian authorities have already uncovered and disrupted several active plots, he says.

Responsible Care

While most companies protect their employees during travel because it’s the right thing to do, they also bear legal responsibilities. Most Western countries—Australia, Canada, Western Europe, and the United States—have what are called “duty of care” laws, notes International SOS. Under the concept of duty of care, a 2009 report from International SOS explains, “[e]mployers are expected to take practical steps to safeguard their employees against any reasonably foreseeable dangers in the workplace.”

Naturally, meeting that responsibility gets more difficult when the workplace is not in a company’s home country. Having a travel risk management policy can help companies meet their legal obligations in these remote work areas. Those that don’t have a policy should take duty of care as one more reason why they need one, says Will Geddes, managing director for the U.K. firm International Corporate Protection, a corporate security service provider.

Travel Policy

When developing a travel security program, companies need not develop “nanny-like programs,” says Ed Levy, former director of global security for pharmaceutical firm Pfizer who now runs security at New York’s Empire State Building.

Rather, companies should “make people aware of the risks, make resources available to them, and strongly suggest that they don’t do certain things,” states Bill Anderson, group director of global security for transportation company Ryder System Inc.

A typical travel risk policy should include three components: protocols, training, and contingency plans.

Protocols. Employees need guidance in terms of best practices for travel, but it should not be a one-size-fits-all approach. Company protocols should be flexible to account for different locations and the varying degrees of risk they present. Anderson’s department has tiered travel security policies for locations based on three levels of risk: high, intermediate, and low, he says. If an employee is going to Hong Kong, for example, the security department doesn’t need to go through the full panoply of issues that would apply to a high-risk location. Instead, security explains the local risk and recommends a few places to stay. For a more risky destination, the assistance provided by security staff is more extensive.

The choice of lodging is critical, considering terrorists’ penchant for hotel attacks. Company protocols should address the types of lodging that are safe. Companies should choose a resort-style hotel when possible, because there’s “a nice degree of separation from where the property begins and where the hotel is,” says James Reynolds, director of safety and security for Hilton’s Palmer House in Chicago.

If a resort-style hotel isn’t an option, travelers should opt for a hotel that is set back from the street. Companies should also choose hotels that have visible security, especially guards dressed in police style uniforms. Visible security is one of the easiest ways a hotel can harden itself from becoming a terrorist target, says Reynolds. It also reduces the risk of more ordinary crimes.

Companies should establish a protocol for their internal security staff to follow with regard to calling hotels, discussing their security arrangements, and verifying them with local sources, says Anderson. “Sometimes consultants are reticent to recommend a hotel from a security standpoint, but oftentimes they can tell you what it’s like.”

Reynolds agrees that it can be helpful to call the hotel’s security director, especially if the traveler is an executive who travels with a security detail and needs extra attention. The hotel security director can “assist you in elevator holds, where to stage your car, and the best way to position your room,” if you work with them in advance, says Reynolds.

There is only so much the company can do to protect its employees when they are in another country, but one simple measure that can at least ensure that headquarters will get an alert at the first sign of trouble is to have a routine check-in protocol. Depending on the location’s risk, employees might be required to touch base with headquarters or a designated call center first thing in the morning and last thing at night. “All that has to be is just a check-in call to say ‘Back at the office,’ or ‘Back at the hotel,’” Geddes says.

A failure to check in would trigger response protocols.

A more tech-savvy method is offered by iJet. The company can provide clients traveling in high-risk environments with a GPS mobility-tracking device or tracking software that they download into their personal wireless device.

“The capability is for them to be able to hit a panic button and that goes through satellite communications instantly to our command center, and it tells us that they’re in trouble,” says David Weir, vice president of resiliency services for iJet.

The technology can even be tweaked to provide a travel perimeter for employees. Once a traveler steps outside a company’s predetermined area, iJet is notified. Response depends on the protocols they’ve devised with the client company. The travel perimeter concept is popular with news organizations for tracking their reporters whereabouts.

Company protocols should also provide for what to do in the worst-case scenario. Traveling employees should have the ability to call a 24/7 hotline for assistance in an emergency. Travel security experts interviewed for this article stressed the importance of these numbers, which allow employees to contact either the company’s security department or a travel security management provider if there’s a serious problem. Once connected, a security expert can provide travelers with their best option based on their situation, whether that’s sheltering in place, seeking safety at an embassy, or preparing for extraction or evacuation.

Training. Companies need to educate employees about how to behave abroad and about the risks that are endemic to their destination. Among the lessons should be tips on how to blend in with foreign cultures and avoid drawing attention to the fact that they are outsiders or that they are business professionals. “What it means is looking like a regular, middle-class traveler in that country,” explains Chris Falkenberg, a former Secret Service agent and president of risk management Insite Security.

Travelers should be instructed to avoid carrying high-level credit cards and to eschew the trappings of success that some businesspeople like to flaunt. They should also be instructed to avoid carrying anything that ties them to a government or a religious organization. Basically, the less that ties them to anything that might inflame local opinion or that might be used against them if they are kidnapped, the better.

Heffelfinger, an expert on radical Islam and a former counterterrorism consultant to the U.S. government, takes this advice further than some, saying business travelers should go native if they will be there for awhile. “Get to know people, eat the food,” he says. “Travelers who are more culturally aware of their surroundings are less prone to strike a profile.”

While Heffelfinger doesn’t think this approach will be popular with some companies, he believes in it. “In the long run, I feel confident that this approach would pay dividends over the bunker mentality,” he says.

Traveling employees must also learn to vary their routines. The mantra: Never be predictable. This can be hard for travelers because people naturally sink into routines, says Heffelfinger.

One of the most important lessons companies should teach employees is to avoid complacency when traveling. That is an ongoing challenge with seasoned travelers. “The perception among well-traveled people is that they have seen it all,” says Gavriel Schneider, international director for South Africa-based Dynamic Alternatives. This belief can be very dangerous, he says, because they drop their guard.

The level of training should also track the level of risk. This is especially important when an employee travels to a high-risk location no one with the company has been to before, says Anderson, who just had employees travel to Africa for the first time. When this occurs, the security team should come up with a detailed travel plan and give the traveler face-to-face coaching on what to expect and what to avoid.

Some companies offer employees additional training with regard to potential high-risk situations they may encounter. For instance, iJet’s risk mitigation training is similar to military-style survival training. “It covers situations when the infrastructure’s totally down, there’s no power, and food and water are getting scarce,” says Weir. The company trains its clients’ employees to know how to take care of themselves as they try to make contact with their company or iJet.

Given the attacks at hotels, such as the Oberoi and Taj Mahal in Mumbai, companies may also want to address what to do in active-shooter situations. Reynolds trains his employees on active shooter situations using the Department of Homeland Security’s response process of evacuate, hide, or take action, depending on the situation guests find themselves in, he says. A guest’s options, however, are very limited in these scenarios, because it’s the active shooter that’s calling the shots until law enforcement arrives.

Contingency plans. No amount of planning can eliminate all risks, so companies should formulate contingency plans for cases in which conditions quickly sour. In the case of a coup or a terrorist attack, for example, “There should be a good extraction protocol and procedure in place to get the employee out of that location in the safest way possible,” says Geddes.

In order to know whether employees are in a danger zone and to be able to rescue them, a company has to be able to locate them. For companies with a phalanx of traveling employees, that can be a challenge. Anderson feeds his travelers’ itineraries into International SOS and Control Risk’s Travel Tracker, which creates a searchable database of all employee travel.

“If there’s a terrorist attack,” he says, “we can search that and see if any of our travelers were there at that time.”

Rendeiro says such systems are vital to managing risk. “We can see exactly how many of our clients are in any given part of the world at any given time,” he says.

When a devastating earthquake hit Haiti in January, International SOS was able to find out instantly how many clients were in the country. The company’s travel tracking program is so powerful that it knew very quickly that 42 of its clients were on the airplane that crash landed in the Hudson River in January 2009, says Rendeiro.

Companies may also want to establish in-country safe havens as alternatives to corporate office locations in chaotic areas. That might be a hotel or residence, says Geddes. Unfortunately, there’s no cookie-cutter approach to decide where these locations will be; the variables change from place to place and situation to situation, he says.

With regard to getting employees out of a danger zone quickly, many companies use private firms like International SOS or Kroll to conduct extractions when necessary. These firms rely on local personnel, usually former special forces personnel who have connections and knowledge of the environment, to help them get their clients out when necessary.

Generally, extraction teams find their target after employees make contact with the command center and inform it of their location. The center then relays that information to the team. In situations where voice communication systems fail, employees should still be able to send and receive SMS text messages to communicate their whereabouts. When all means of making contact fail, employees should have a predetermined rendezvous spot that they know to travel to.

Levy recounts a story from his Pfizer days that showed the enormous benefits of outsourcing extraction services. Pfizer had employees in Lebanon in 2006 when Israel launched a military action against Hezbollah inside the country. The company’s emergency plan went into effect, and employees were safely evacuated from the danger zones on buses and housed in hotels as-needed until they could be flown out on commercial aircraft. Levy called this service “positive control—where the provider, International SOS, is responsible for picking up the employee, transporting them, securing them, feeding them, housing them, providing medical care, providing clothing,” and on and on. “They made me look like a hero,” he notes.

Intelligence

To be forewarned is to be forearmed, as the saying goes. Forewarning employees with general security awareness training is important, but they also need specific intelligence both before and during the trip.

Many companies rely on outside private intelligence and travel security firms to provide location-specific briefs that explain the threats—whether man-made, medical, or natural. A pre-briefing packet for a particular location is usually sent once the employee books travel.

These firms, often the same firms that offer the tracking services, can also deliver breaking threat advisories to a traveling employee’s cell phone, smartphone, or e-mail. But companies on a budget can also get some intelligence free from open sources or the government, such as from the U.S. State Department’s travel advisories or the British Foreign and Commonwealth’s risk assessment for foreign travel, says Geddes.

No matter how a company decides to support its employees with intelligence before and during the trip, Anderson says, companies need to be aware of the flaws in each approach. He believes government travel information may downplay threats because of political concerns while private services may inflate threats. “You just have to find a balance there,” he says. The best approach, if feasible, is to collect as much detailed information from reputable sources as possible and present a useful balanced analysis to the traveler.

Good intelligence, says Donald Henne, associate managing director of Kroll, should also make worst-case scenarios like extractions or safe havens a very rare occurrence. Timely information, whether provided in-house or by another firm, can help a company assess when it should not send employees into dangerous locations or when it should call them home in anticipation of a worsening security situation.

Pressure Points

Criminals and terrorists intentionally target locations frequented by foreign visitors—transportation hubs, hotels, and city centers. There are the various stages of a trip where a traveler is at elevated risk, and employees should be especially attuned to the potential dangers in these situations.

Arrival. No matter where a business traveler is, there will be unaffiliated delivery drivers vying for customers. Business travelers should never get inside an unlicensed vehicle, Anderson says. When in reasonably safe locations, they can take a licensed cab from the airport’s cab stand. But when business travelers arrive in moderate- to high-risk locations, it’s best for the company to arrange in advance for a driver to pick them up.

Levy says companies should have their security provider or indigenous employees hire the driver to make sure he can be trusted. There should also be a reliable way for the driver and traveler to identify each other, and it shouldn’t be the driver holding up a sign with the person’s name on it, says Anderson.

In Sao Paolo, Brazil, Ryder security found evidence that people were watching its employees and making their own company signs to lure the employee in. To ensure that the employee got in the right car, “each traveler would have a different password with the driver that was going to pick them up,” he says.

Ryder also has a local employee or trusted vendor meet the traveling employees at the airport in higher risk areas whenever possible. The local colleague then escorts the visitor to the hotel, says Anderson.

Hotel. The next point of exposure is check in at the hotel. Security professionals recommend that travelers exercise caution in the lobby where anyone can overhear what is said, such as the number of your room or the time a person may be planning to meet with you and where.

Additionally, the choice of a room deserves special attention. Security professionals recommend that travelers reserve rooms in the back of the hotel to avoid large-scale explosions targeting the front of the hotel. During the 2008 attack against the Islamabad Marriott Hotel, a suicide bomber detonated a dump truck packed with explosives at the hotel’s front gate and killed nearly 60 people. Of course, this would depend on the hotel configuration. A back that borders on a drivable, unsecured alley or roadway could be more at risk of a truck bomb.

Travelers also should not book rooms above the seventh floor so that they can evacuate quickly if the stairs are the only option. That’s also the highest floor a fire truck’s ladder can reach in most cases, says Reynolds.

Travelers should avoid staying in rooms close to the stairwell, which has been described as “murderer’s alley,” Reynolds notes. “If I’m a person wanting to do harm, I can come out of the stairwell to the closest room and back into the stairwell quickly,” says Reynolds.

Once travelers are comfortably inside their room, Geddes recommends that they never open their room door if someone knocks, no matter what they say. If the person says they’re from the hotel, the guest should try and spy the employee’s name tag and call down to the front desk to doublecheck that the employee is who he says he is and has been sent up to the room.

There’s one more part of a hotel that worries Ryder’s Bill Anderson. He advises business travelers to stay away from hotel restaurants, especially outdoor dining facilities. The two suicide bombers that attacked the Marriott and Ritz Carlton hotels in Jakarta last summer detonated their bombs inside one of each hotel’s restaurants, reported Australia’s The Age. If you’re a business traveler shuttling into a location where the risk is severe, “just order room service,” Anderson advises.

Ultimately, companies must trust their employees, and traveling employees must trust their gut. There’s a big psychological dimension to security awareness, says Falkenberg. People have a “subliminal or subconscious awareness of things that are wrong.” If something doesn’t seem right, a traveler should not proceed, regardless of whether anyone else might judge their reticence as paranoid, he says.

By arming employees with training and intelligence, companies increase the odds that employees will be able to navigate most situations safely. If problems do occur, travel tracking programs and contingency plans can provide employees with the assistance they need.

Matthew Harwood is an associate editor at Security Management.