When developing a travel security program, companies need not develop “nanny-like programs,” says Ed Levy, former director of global security for pharmaceutical firm Pfizer who now runs security at New York’s Empire State Building.
Rather, companies should “make people aware of the risks, make resources available to them, and strongly suggest that they don’t do certain things,” states Bill Anderson, group director of global security for transportation company Ryder System Inc.
A typical travel risk policy should include three components: protocols, training, and contingency plans.
Protocols. Employees need guidance in terms of best practices for travel, but it should not be a one-size-fits-all approach. Company protocols should be flexible to account for different locations and the varying degrees of risk they present. Anderson’s department has tiered travel security policies for locations based on three levels of risk: high, intermediate, and low, he says. If an employee is going to Hong Kong, for example, the security department doesn’t need to go through the full panoply of issues that would apply to a high-risk location. Instead, security explains the local risk and recommends a few places to stay. For a more risky destination, the assistance provided by security staff is more extensive.
The choice of lodging is critical, considering terrorists’ penchant for hotel attacks. Company protocols should address the types of lodging that are safe. Companies should choose a resort-style hotel when possible, because there’s “a nice degree of separation from where the property begins and where the hotel is,” says James Reynolds, director of safety and security for Hilton’s Palmer House in Chicago.
If a resort-style hotel isn’t an option, travelers should opt for a hotel that is set back from the street. Companies should also choose hotels that have visible security, especially guards dressed in police style uniforms. Visible security is one of the easiest ways a hotel can harden itself from becoming a terrorist target, says Reynolds. It also reduces the risk of more ordinary crimes.
Companies should establish a protocol for their internal security staff to follow with regard to calling hotels, discussing their security arrangements, and verifying them with local sources, says Anderson. “Sometimes consultants are reticent to recommend a hotel from a security standpoint, but oftentimes they can tell you what it’s like.”
Reynolds agrees that it can be helpful to call the hotel’s security director, especially if the traveler is an executive who travels with a security detail and needs extra attention. The hotel security director can “assist you in elevator holds, where to stage your car, and the best way to position your room,” if you work with them in advance, says Reynolds.
There is only so much the company can do to protect its employees when they are in another country, but one simple measure that can at least ensure that headquarters will get an alert at the first sign of trouble is to have a routine check-in protocol. Depending on the location’s risk, employees might be required to touch base with headquarters or a designated call center first thing in the morning and last thing at night. “All that has to be is just a check-in call to say ‘Back at the office,’ or ‘Back at the hotel,’” Geddes says. A failure to check in would trigger response protocols.
A more tech-savvy method is offered by iJet. The company can provide clients traveling in high-risk environments with a GPS mobility-tracking device or tracking software that they download into their personal wireless device.
“The capability is for them to be able to hit a panic button and that goes through satellite communications instantly to our command center, and it tells us that they’re in trouble,” says David Weir, vice president of resiliency services for iJet.
The technology can even be tweaked to provide a travel perimeter for employees. Once a traveler steps outside a company’s predetermined area, iJet is notified. Response depends on the protocols they’ve devised with the client company. The travel perimeter concept is popular with news organizations for tracking their reporters whereabouts.
Company protocols should also provide for what to do in the worst-case scenario. Traveling employees should have the ability to call a 24/7 hotline for assistance in an emergency. Travel security experts interviewed for this article stressed the importance of these numbers, which allow employees to contact either the company’s security department or a travel security management provider if there’s a serious problem. Once connected, a security expert can provide travelers with their best option based on their situation, whether that’s sheltering in place, seeking safety at an embassy, or preparing for extraction or evacuation.
Training. Companies need to educate employees about how to behave abroad and about the risks that are endemic to their destination. Among the lessons should be tips on how to blend in with foreign cultures and avoid drawing attention to the fact that they are outsiders or that they are business professionals. “What it means is looking like a regular, middle-class traveler in that country,” explains Chris Falkenberg, a former Secret Service agent and president of risk management Insite Security.
Travelers should be instructed to avoid carrying high-level credit cards and to eschew the trappings of success that some businesspeople like to flaunt. They should also be instructed to avoid carrying anything that ties them to a government or a religious organization. Basically, the less that ties them to anything that might inflame local opinion or that might be used against them if they are kidnapped, the better.
Heffelfinger, an expert on radical Islam and a former counterterrorism consultant to the U.S. government, takes this advice further than some, saying business travelers should go native if they will be there for awhile. “Get to know people, eat the food,” he says. “Travelers who are more culturally aware of their surroundings are less prone to strike a profile.”
While Heffelfinger doesn’t think this approach will be popular with some companies, he believes in it. “In the long run, I feel confident that this approach would pay dividends over the bunker mentality,” he says.
Traveling employees must also learn to vary their routines. The mantra: Never be predictable. This can be hard for travelers because people naturally sink into routines, says Heffelfinger.
One of the most important lessons companies should teach employees is to avoid complacency when traveling. That is an ongoing challenge with seasoned travelers. “The perception among well-traveled people is that they have seen it all,” says Gavriel Schneider, international director for South Africa-based Dynamic Alternatives. This belief can be very dangerous, he says, because they drop their guard.
The level of training should also track the level of risk. This is especially important when an employee travels to a high-risk location no one with the company has been to before, says Anderson, who just had employees travel to Africa for the first time. When this occurs, the security team should come up with a detailed travel plan and give the traveler face-to-face coaching on what to expect and what to avoid.
Some companies offer employees additional training with regard to potential high-risk situations they may encounter. For instance, iJet’s risk mitigation training is similar to military-style survival training. “It covers situations when the infrastructure’s totally down, there’s no power, and food and water are getting scarce,” says Weir. The company trains its clients’ employees to know how to take care of themselves as they try to make contact with their company or iJet.
Given the attacks at hotels, such as the Oberoi and Taj Mahal in Mumbai, companies may also want to address what to do in active-shooter situations. Reynolds trains his employees on active shooter situations using the Department of Homeland Security’s response process of evacuate, hide, or take action, depending on the situation guests find themselves in, he says. ( Link to this guidance via “Beyond Print
".) A guest’s options, however, are very limited in these scenarios, because it’s the active shooter that’s calling the shots until law enforcement arrives.
Contingency plans. No amount of planning can eliminate all risks, so companies should formulate contingency plans for cases in which conditions quickly sour. In the case of a coup or a terrorist attack, for example, “There should be a good extraction protocol and procedure in place to get the employee out of that location in the safest way possible,” says Geddes.
In order to know whether employees are in a danger zone and to be able to rescue them, a company has to be able to locate them. For companies with a phalanx of traveling employees, that can be a challenge. Anderson feeds his travelers’ itineraries into International SOS and Control Risk’s Travel Tracker, which creates a searchable database of all employee travel.
“If there’s a terrorist attack,” he says, “we can search that and see if any of our travelers were there at that time.”
International SOS's Vice President of Global Security and Intelligence John Rendeiro says such systems are vital to managing risk. “We can see exactly how many of our clients are in any given part of the world at any given time,” he says.
When a devastating earthquake hit Haiti in January, International SOS was able to find out instantly how many clients were in the country. The company’s travel tracking program is so powerful that it knew very quickly that 42 of its clients were on the airplane that crash landed in the Hudson River in January 2009, says Rendeiro.
Companies may also want to establish in-country safe havens as alternatives to corporate office locations in chaotic areas. That might be a hotel or residence, says Geddes. Unfortunately, there’s no cookie-cutter approach to decide where these locations will be; the variables change from place to place and situation to situation, he says.
With regard to getting employees out of a danger zone quickly, many companies use private firms like International SOS or Kroll to conduct extractions when necessary. These firms rely on local personnel, usually former special forces personnel who have connections and knowledge of the environment, to help them get their clients out when necessary.
Generally, extraction teams find their target after employees make contact with the command center and inform it of their location. The center then relays that information to the team. In situations where voice communication systems fail, employees should still be able to send and receive SMS text messages to communicate their whereabouts. When all means of making contact fail, employees should have a predetermined rendezvous spot that they know to travel to.
Levy recounts a story from his Pfizer days that showed the enormous benefits of outsourcing extraction services. Pfizer had employees in Lebanon in 2006 when Israel launched a military action against Hezbollah inside the country. The company’s emergency plan went into effect, and employees were safely evacuated from the danger zones on buses and housed in hotels as-needed until they could be flown out on commercial aircraft. Levy called this service “positive control—where the provider, International SOS, is responsible for picking up the employee, transporting them, securing them, feeding them, housing them, providing medical care, providing clothing,” and on and on. “They made me look like a hero,” he notes.