Research shows companies increasingly are establishing enterprise-wide risk management programs to offer a bird’s-eye view of all types of risk. So far, though, travel risk doesn’t seem to be part of the conversation.
North Carolina State University’s Poole College of Management has an enterprise risk management practice sponsored by Deloitte. Its reports divide risks into three buckets: macroeconomic (i.e., exposure to currency fluctuations or political instability), strategic (disruption, change in customer preferences) and operational (supplier uncertainty, succession challenges).
Traditionally, corporate risk leaders are responsible for one silo and tend to unknowingly “lob” risks to the others, according to Mark Beasley, Poole’s Deloitte Professor of enterprise risk management. Not being a risk expert, for example, the technology lead may create legal, cash management or reputation risks, he said. Risks may fall between the silos or spread across them. Not thinking strategically threatens strategy, according to Beasley.
ERM, though, is a top-down process that offers a more holistic view, closing gaps between departments.
NC State and the American Institute of CPAs has for the past eight years surveyed CFOs or similarly situated business leaders about ERM. In 2016, the poll received 432 responses. Results showed that while growth plateaued in the past few years, the share of surveyed organizations employing a “complete, formal” ERM process was up to 28 percent in 2016 from 9 percent in 2009. For large and publicly traded organizations, the figure was closer to 50 percent.
The research also showed that growing percentages of organizations appointed a chief risk officer or equivalent (42 percent last year), and created a management-level risk committee (58 percent).
Does travel have a seat at that table?
“If you’re a travel risk manager, you’re going to be at a big company and that company probably already has some sort of ERM process,” said Bonnie Hancock, executive director for NC State’s Enterprise Risk Management Initiative. “So I would think the leader of ERM should be looping in the travel risk manager, and if not, I would want to get connected to ensure that travel risks are getting the appropriate consideration.”
ERM has been around for well more than a decade. The literature on it is extensive and comprehensive, but references to travel are hard to find.
“When we talk about risk and uncertainty, we talk about particular events,” said Hancock. “I think of travel as a root cause of events — the loss of a key employee, or not understanding the culture you’re traveling to and creating a reputation risk. You could see it as a subset of a lot of other risks — geopolitical, succession, etc. Maybe it didn’t rise to its own category, but it is a consideration.”
One of NC State’s surveys asks executives to rank 30 different risks. Among them, several are either related to or broader than travel, including: terrorism, political uncertainty, shifting trade policies, regulatory changes, supplier viability, talent retention, cyber threats and privacy protection. Some of those were among the survey respondents’ top ten risks.
Meanwhile, travel risk management literature in turn scarcely mentions ERM. One exception is Charles Brossman’s book, “Building a Travel Risk Management Program: Traveler Safety and Duty of Care for Any Organization.”
“Putting enterprise risk into more context with TRM, consider all of the different ways that employee and contractor mobility touches most aspects of a company’s operations, including a company’s approach to risk management. For example: travel to assess the risks associated with expanding operations into a new market; travel to meet with parties being considered for merger, acquisition or partnership, and their impact on the company’s reputation; travel to ensure compliance with legal and environmental requirements involving a project or operation.”
In an interview this week, Brossman said he wasn’t surprised that the authors of ERM literature do not address travel.
“If they don’t mention travel, it’s because they don’t get it,” he said. “The potential risks you put travelers in front of that can affect your business and reputation should be measured in a structured program for both common and strategic business decisions and executive decision support.”
International SOS executive vice president Tim Daniel said the ERM concept was popularized by insurance companies. It’s a big theme for the Risk and Insurance Management Society. Travel is a “narrow focus” in that bigger arena, he said.
“We do see it come up in market development exercises,” said Daniel. “Risk should be associated with opportunity. For example, I want to do business in new markets or existing markets where risk levels are shifting. What do I need to know about? Sometimes there are travel safety challenges.”
If they are on the lookout for “bigger conversations” that may be taking place, travel professionals could find “a place to put their story forward and potentially gain legitimacy,” said Daniel.
Travel Recon founder and CEO Toby Houchens said he thinks the role of TRM increasingly will be explored in the context of ERM. “Everyone agrees there should not be silos,” he said. “There is risk in duty of care, risk in finance. They should be tied together.”
A former travel manager and current member of the Global Business Travel Association’s risk committee, Robert Mintz said ERM could help TRM in its weakest area: training.
“Whether for travelers or an emergency management group, the time isn’t set aside for proper training,” said Mintz. “So [it would help] to have it institutionalized in areas that have defined processes — they have their checklists and they’re religious about it to the point of annoyance. To place travel risk in that larger continuum of IT and HR and executive management (and facilities, physical security and insurance) ensures the seat at the table.”
If the tie between ERM and TRM strengthens, travel risk systems could be joined up with other software to offer the ideal broad view.
“We believe a company needs best-of-breed in different capabilities, but that needs to be tied together with one or two user interfaces,” said Houchens. “Now we’re looking at companies with 10 risk vendors and 10 contracts, and they don’t need them all.”