If your business is to demonstrate risk management,
As specified by the law and international standards,
You must establish context.
Before starting the design and implementation of the framework for managing risk, it is important to evaluate and understand both the external and internal context of the organization, since these can significantly influence the design of the framework.
Evaluating the organization’s external context may include, but is not limited to:
the social and cultural, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local;
key drivers and trends having an impact on the objectives of the organization; and
relationships with, and perceptions and values of, external stakeholders.
Evaluating the organization’s internal context may include, but is not limited to:
governance, organizational structure, roles and accountabilities;
policies, objectives, and the strategies that are in place to achieve them;
capabilities, understood in terms of resources and knowledge (for example capital, time, people, processes, systems and technologies);
information systems, information flows and decision-making processes (both formal and informal);
relationships with, and perceptions and values of, internal stakeholders;
the organization’s culture;
standards, guidelines and models adopted by the organization;
and the form and extent of contractual relationships.
Next is defining risk criteria, as it applies to business travel.
The organization should define criteria to be used to evaluate the significance of risk.
The criteria should reflect the organization’s values, objectives and resources.
Some criteria can be imposed by, or derived from, legal and regulatory requirements and other requirements to which the organization subscribes.
Risk criteria should be consistent with the organization’s risk management policy, be defined at the beginning of any risk management process and be continually reviewed.
When defining risk criteria, factors to be considered should include the following:
the nature and types of causes and consequences that can occur and how they will be measured;
how likelihood will be defined;
the timeframe(s) of the likelihood and/or consequence(s);
how the level of risk is to be determined;
the views of stakeholders;
the level at which risk becomes acceptable or tolerable;
whether combinations of multiple risks should be taken into account and, if so, how and which combinations should be considered, all inclusive of business travel.
To test this within your business, select 1 traveller and 1 trip.
Now demonstrate all the above, as it applies to that specific traveller and that specific journey.
Now apply it to 10 travellers and 10 business trips.
Is the context, evident, documented, unique and specific to each traveller and trip?
If not, you don’t have adequate evidence to demonstrate travel risk management, in addition to having an inadequate establishment of context.
To learn more about business travel risk management and your obligations,
Visit www.isitsafe.travel .
Next, in this series on travel risk management, we examine risk identification, step 3 of 7 required for travel risk management.
Safe work systems and enterprise risk management, inclusive of business mobility and travel.