On April 9th, Alex Craxton will be part of the Travel Risk Academy panel discussing the ins and outs of Travel Risk Management technology. It is an important point in time where we are seeing the rise of AI being deployed, alongside traditional enterprise solutions and broadening into wider risk management solutions. What does all this mean, what does the future look like? Join us on the 9th April and be part of the conversation, click on the following button to join our free webinar ...
When considering risk technology solutions for your business, it's crucial to evaluate the inherent risks within the solution itself. Each product selection demands significant investment and effort to maximize its effectiveness, making it essential to scrutinize and carefully plan before purchase and implementation. This brings us to a fundamental question: "What are the risks linked to my risk technologies?" Below is a concise summary of key areas to consider.
Managing your own data centre involves significant risks and responsibilities, including ensuring the credibility of software vendors, hardware reliability, overall data centre resilience, and effective monitoring and incident management. These factors contribute to the overall cost of ownership and the resources required to maintain a secure and compliant operating environment. While some industries still require on-premise solutions, due to regulatory and compliance needs, it is crucial to assess whether the risks associated with data centres are being adequately monitored and enacted upon. Alternatively, cloud-hosted solutions offer flexibility in geographical hosting options (such as EU, US, APAC) and rely on your own security endeavours, along with the credibility of the solution vendor and data centre platform to ensure a safe and secure environment. Vendors should adhere with widely available and certified standards like SOC2, CIS, NIST, HIPAA, CSA, GDPR, and ISO for hosting, operations, and data security. Organizations should assess and maintain in their risk register, the internal and external threats to their technology, alongside other threats to their business operation.
Ensure your solutions, whether on-premise and/or cloud hosted are being sufficiently monitored with technical support available
Both the solutions and data centres should be certified against relevant standards
Build threats to your risk solutions into your corporate risk register
Technology is inherently imperfect, cloud-hosted products come with a guaranteed uptime that falls just short of 100%, but downtime may happen at the most critical of times. Your access to these technologies is heavily reliant on your connectivity, whether it's through your own network, a secured VPN, broadband internet, or mobile data. None of these options are completely reliable, so it's crucial to test and ensure that your employees have the necessary access, authentication, and backup alternatives. Your stakeholders should all be well-prepared to handle situations where connectivity issues arise, have alternatives in place and backup plans if no connectivity is available at all.
Frequently test that key stakeholders and employees have access to the technology they need in an incident
Always have a non-technical backup in place, whether this is whiteboards in a control room or contact numbers for voice calls, you may still need this approach one day
Have a good working relationship with your risk solution provider to ensure support and resolution processes are in place
In times of limited capacity or high pressure, it's crucial to understand how your risk solutions perform. Major incidents often lead to increased demand on specific resources, such as news sites, mobile networks, and social messaging apps. There have been situations where threats have caused outages in cloud hosted environments that may affect the operation and data you may need to detect and respond to incidents. To ensure your risk solutions are effective, it's essential to test them in realistic scenarios and educate employees and stakeholders on where to find information, how to act within constraints, and what alternatives are available. Additionally, verify that the technology you choose is designed to function efficiently under these conditions, with features like lower graphical modes, minimal JavaScript overheads, controlled data downloading, and data caching. Testing should include aspects such as concurrent user limitations, messaging capacity, rendering of complex visuals such as maps, and large numbers of impacted people in incidents. It is also worth considering how you fine-tune your risk solutions to handle threats and events that really matter, not necessarily enact upon every minor disruption you might receive.
Work with your risk solution vendor to build scenarios to help test for scalability, don't just take their word for it
For national and global organisations, test that the risk solution can search, visualise, message and manage based off your extensive employee base
Have alternate sources for intelligence and fine-tune how your platform only triggers based off impactful situations
For many organisations, their risk solutions are accessed infrequently, unless notified by an incident impacting their people and business. It's crucial for stakeholders, such as response teams, to periodically verify their logins, ensure their details are accurate, and confirm that their laptops, smartphones, VPNs, apps, and browsers are up-to-date and functional. During a major incident, you don't want to face issues with logins or outdated software holding back any critical decisions. Additionally, it's important to validate that your risk technology can be accessed from various locations, including home or on the go via a smartphone. This ensures readiness and accessibility in any situation. If you organisation requires single-sign-on access to your risk solution, ensure that it has been integrated correctly and test periodically.
Frequently use test scenarios to ensure key stakeholders access the risk solution and can verify or update anything required to login
Test access works across desktop and mobile devices both on-site and in remote locations
Ensure the risk solution has been designed with different users in mind based off any visual or dexterity needs
As with any Enterprise solution, the effectiveness of your risk software hinges on the quality of the data it processes. Incomplete, inaccurate, or unverified employee profile data can pose significant risks and prevent or delay action. Accurate contact details, location information (such as travel data, home and work addresses), and access control measures are crucial for managing incidents to really understand who has been impacted. If you lack information on someone's whereabouts, cannot communicate with them, or are unaware of who might be affected by an incident, your job becomes considerably more challenging. Therefore, it's essential to monitor your data continuously. Utilize risk management solutions that offer comprehensive reports and dashboards that highlight incomplete or incorrect information, including profiles, validated devices used for access, and travel data.
Do not assume all your profile, location and travel data is 100% correct, but use reports within the risk solution to monitor and resolve
Get employees to review their profiles within the HR platform periodically and ensure those changes propagate into your risk solutions correctly
Data such as travel itineraries often contains data that may not make it easy to map against a known profile, look to your risk solution to provide reports on orphaned data such as this
Until recently, our reliance on structured data involved human input, validation, authorization, and decision-making. AI, alongside other automated activities has transformed this landscape. Like humans, AI is not infallible and should not be solely depended upon for accuracy without inspection. It is crucial to identify and address potential issues that may arise from using AI for generation or decision-making, and to have mechanisms in place to rectify or reverse any issues. Over time, these risks may diminish, and improved training methods can help mitigate threats. It's important to recognize that the AI engine itself is not the only risk; the data it uses can become outdated, biased, or lead to inaccuracies. Monitoring and resolving these issues is a shared responsibility between your organization and the software vendor. Any automated aspects of your process need to be monitored and revised if or when issues occur.
Train and test whatever AI or automated platforms you or your risk solution use. Do not assume whatever they produce is always going to be 100% correct.
If an AI engine has been configured to make decisions, ensure decisions are visible and logged, especially in context to potential audits and investigations
If you are using content from external providers that utilise AI, feedback any issues around accuracy back to the vendor as soon as possible
Currently, risk solutions often focus on specific operational areas of a business, but this is evolving. Ideally, the solution used to identify threats to your organization, employees, technology, suppliers, and travel should be unified and consistent. Many incidents will impact multiple areas, though the mitigation controls may vary in terms of monitoring, response, and resolution. By understanding the impact across these areas, you and your organization can more effectively identify, plan, coordinate, and manage incidents and their broader implications.
Look at risk solutions that bridge the gap between physical, technical and operational areas of your business. Either within their own features or through integration with other risk solutions
Create test scenarios that cover situations affecting many areas, check the response tools take the wider impact to your business into account
Check that your monitoring and triaging solution is not overwhelmed when handling incidents from many areas of the business and can escalate appropriately
The wide world of risk is a vast and volatile area to follow and manage. You are unlikely to find a single solution that covers every threat, every mitigation control and every response process consistently across your entire business. However, for these cross-business, interconnected situations, ensure your assessments identify the physical, technical and operational threats, and you revisit these often. Consider carefully the integration of risk products and services that can handle these complex threats seamlessly together. Establish procedures to monitor and resolve data quality issues quickly and efficiently, do not assume all is well. Finally, use widely available certifications and standards to ensure those risk solutions are fit for purpose and the vendors maintain accountability on their reliability.
VUCA is an acronym doing the rounds more and more as we see further geopolitical change, conflict and uncertainty. Taking time to view your technology in context to volatility, uncertainty, complexity and ambiguity is time and effort well spent. It is not a new acronym, I believe it was first coined decades ago, but the sentiment is very relevant today and worth using it as a framework to analyse Travel Risk Management solutions. It is a big test for your travel risk technology, to predict, implement and adapt activity and policy in an uncertain world … but as they say, hope is not a strategy.
Change is inevitable, managing your safety and security policies effectively within this chaos is critical, especially when it comes to your travel programs. Organizations must adapt to shifting requirements and regulations while identifying events that impact their operations, people, travel, supply chain, technology and infrastructure. Investing time and effort to identify trends and anomalies, should help inform your response activities and travel policies. Finding reliable and verifiable sources of intelligence is essential to decision making and maintaining control amidst chaos. Your travel risk solution should actively aid in identifying events, triaging them alongside other situations, managing response cases and be able to adapt all of those to change.
Read and learn from intelligence forecasts and use tools that help predict and alert to behaviours
Look to plan and build response around threats by category and scale with ability to adapt on the fly
Revisit your risk register often and ensure you are evolving it and mitigating anything new
Navigating unpredictable events and frequent changes can be challenging for any organization. It's crucial to encourage employee confidence by clearly communicating travel requirements as early as possible and how they impact the individual and the company. By shifting from uncertainty to clarity, we can explore new possibilities and find the best information to guide our decisions, even if you need to adapt during chaos.
Run exercises and tests for known threats and reuse those skills and frameworks if unpredictable events occur
Take a proactive approach, educate and train, don’t wait for situations to happen
Be ready to adapt, use technologies that provide features that can be tweaked as you go
Highly interconnected events and ongoing situations over extended periods can have widespread effects on your people, operations, suppliers, and economies. We often hear about poly-crises. These occur when multiple, severe situations happen simultaneously, potentially interlinked, creating a complex and challenging environment for businesses to navigate. Major incidents may require a level of organisation, coordination, communication and activities both immediately and over a long period of time. It is crucial that you use technologies to aid in each of these to handle case manage from start to end.
Build your risk register with the flexibility to handle interconnected situations at scale
Use risk and enterprise tools that best suit rapid coordination and collaboration during incidents
If you adapt existing processes and solutions, make sure those learnings are fed back and built back into your response
Addressing misinformation and disinformation is crucial for making informed and transparent decisions. Using the right intelligence and risk solutions should enable you to analyse and validate data sources in a suitable time frame. Any decision making based off this information may need to be taken within regulatory and compliancy limitations. Keeping employees well-informed and calm during incidents is vital for maintaining a productive and positive situation.
Use intelligence sources that provide citations and tools to validate and clarify reality on the ground
Ensure you only provide clear and concise information to your employees impacted by incidents
Implement services where you can provide points of communication from employees for clarifying situations and providing assistance
While you can't control the world, you can use the data, expertise and technology available to increase clarity and certainty. Look to travel risk solutions that provide more depth to the information you are being fed, provides ways to adapt your activities and policy, and gives you a level of control to make sure everyone is informed and focused. Technology can be a powerful tool to help bring some level of order to chaos, ensuring your organisation is on top of the situation and your employees whether at home, the office or on travel stay informed, calm, and safe.
