International Security Journal caught up with Gian-Rico Luzzi, Senior Manager Physical Security EMEA at VMware to discuss his role in creating the new standard for travel risk management and what the impact of ISO 31030 will be.
Could you tell us about your involvement in the Travel Risk Management standard please?
My involvement in travel risk management standardisation began in December 2014 after the findings of my Master’s dissertation highlighted that there was an immediate market need for a standard on the topic. In short, I proposed the idea to the British Standards Institute (BSI), was invited to become a committee member on the risk management committee as a representative of the Security Institute, worked to get the proposal approved for development and then spent a year or so as part of the working group which produced the publicly available specification PAS 3001:2016.
This BSI PAS was incredibly well received by the market and the risk management committee then proposed to the International Organization for Standardization risk management technical committee TC262 that a new international standard on the topic be created as part of the ISO 31000 family of standards. An international working group, ISO TC262 Working Group 7, was formed in July 2018 and over the last three years, myself and other national representatives/standardisation experts have been working conscientiously to get through to publication, which took place on 21 September 2021. To develop ISO 31030, seven iterations of the standard were produced, four formal global consultations were conducted and 1,100 comments from 24 countries were reviewed. It has been a truly global effort.
Why is this standard so important?
ISO 31030 is the first and only international standard on the topic. The research that I conducted and published in 2015 found that organisations, particularly small and medium sized organisations without mature risk management functions, struggle in context to interpret and determine what reducing risk to a level as low as reasonably practicable (ALARP principle) entails. The new standard is now the global benchmark for small, medium and large organisations from all industry sectors to benchmark themselves against, assuring and demonstrating that their travel risk framework or program is indeed proportionate to the organisations size, industry, profile, risk exposure and appetite and resources.
Many organisations today still operate with a siloed approach. In context they may have a travel manager or department getting people to where they need to be efficiently and cost effectively, a security manager or department looking after executive and or high-risk travel and HR managing benefits and insurance. However, there may be very little cross functional interaction, with many of the other important key stakeholders not even engaged. This may result in strategic, operational, financial, compliance and reputation risk related to travel and mobility being overlooked. The new standard highlights all the types of risk that an organisation should be considering, not just the traditional safety and security risk. It also highlights all internal and external stakeholders and functions that should be involved and working together cross functionally to address all the risk to the enterprise or organisation.
What benefits will it bring to organisations?
Adopting Travel Risk Management in an organisation will promote a culture where travel related risk is taken seriously, resourced adequately, managed effectively and the benefits to the organisation and stakeholders are acknowledged. These benefits being:
How do you think this standard will impact travel risk management for organisations moving forward?
Standards are, in essence, an agreed way of doing something. They show you ‘what good looks like’. By creating the new ISO standard on this topic, we have now provided organisations and service providers from all over the world with internationally agreed terminology – creating a single language for all to speak – both for the organisations and the suppliers that service their requirements. The new standard also provides clear guidance on what an external provider/supplier should be supporting with and importantly what must be done internally – that can’t be transferred to a third party. Not only will this improve the travel risk management within an organisation, but it should now also encourage service providers to radically improve their service delivery as those within organisations responsible for managing travel related risk are going to be far more cognisant of ‘what good looks like’.
For example, let’s consider the use of the word ‘preferred’ in relation to travel accommodation. Up until now this would have typically referred to the way in which an organisation would rate and promote their accommodation service providers to their travellers based on negotiated rates, traveller amenities, proximity to facilities/offices, corporate incentives etc. This would typically not have involved considering health, hygiene, safety, cyber and information security and physical security.
The standard highlights this important fallacy and clearly outlines all the considerations that an organisation should be considering and verifying in relation to accommodation providers, both in relatively low risk environments and in high-risk locations. This will hopefully transform the use of the term ‘preferred’ within organisations as they enhance their procurement and risk assessment practices and compelling service providers to demonstrate having effective and transparent risk management policies and processes and or evidence of accreditation from a credible third-party assurance provider.
Aligning to the standard will also support organisations with addressing their environmental, social and corporate governance goals. An example of this would be that of considering diversity characteristics. Up until now many organisations may only have been considering nationality and or religion as important diversity characteristics which could potentially increase travel related risk dependent on destination. However, now utilising the standard an organisation is guided through the process of exploring and understanding all the characteristics that should be considered prior to risk assessment. This is an important aspect to consider as organisations may be inadvertently sending people to locations which may pose additional risk to LGBTQ, BAME/BIPOC and women travellers and disabled people.
The standard is also clearly being published at an opportune time in relation to the pandemic as organisations now are focusing on how to resume travel and to do so safely. At the same time, we can see that the pandemic has also accelerated remote and flexible work arrangements with expectations of an “Anywhere Workspace”. The standard will be of huge benefit to organisations grappling with Duty of Care responsibilities related to resuming travel and to address the risk related to a dispersed and much more mobile workforce.
The standard will also become an important reference tool for those within organisations who are responsible for managing travel related risk. Apart from providing very clear and definitive guidance on how to design and implement a TRM program, the document itself and the guidance and controls listed therein, can become a valuable reference on a risk register when a gap analysis or vulnerability assessment is conducted. Helping to create a much more compelling read for executives as this is now the internationally accepted benchmark which no doubt will also be carefully considered by litigants and regulators.
How can people find out more information about the standard and who is the intended audience?
You can buy a copy of the standard from the ISO website. The standard provides guidance for any type of organisation that has a Duty of Care for people on work-related travel and is aimed at those within an organisation responsible for managing risks, however it has been carefully written so that it can be easily digested by those in small or medium sized organisations who are not risk management experts. The standard being part of the ISO 31000 family allows the framework to be easily integrated into an existing enterprise risk management framework or for those organisations without a mature risk management function, it provides clear guidance on how to design and implement a standalone travel risk management program.
Gian-Rico Luzzi is the Senior Manager Physical Security EMEA at VMware. He is also a: