Continuous Data Exchange Fuels Travel & Security Collaboration

"The No. 1 thing a travel department can give to security is the itinerary," said WorldAware founder Bruce McIndoe. "I think that's getting lost somewhat in the industry dialogue. Without the itinerary, [the security team] can't provide security effectively. Once the traveler arrives, it's too late."

Security professionals' stake in travel is deeply aligned with the objectives of travel management itself—booking compliance to preferred channels and the data those bookings provide. Unlike travel management, finance and procurement, however, security doesn't much care about share with preferred suppliers, cost or savings. They mainly care about one slice of the data: where the traveler is going. 

For most companies, the business location for a vast majority of trips won't raise eyebrows. But for the, say, 10 percent of trips that do require a closer look, security will want to know the purpose of the trip and whether the business reason justifies putting human assets in a high-risk location. Can the work be done remotely? Is there an alternate location that is mutually agreeable?

Barring that, corporate security or risk management teams want to prepare travelers for the risks they are likely to encounter. The trip could require anything from health vaccinations to an armored vehicle, but it's on foreknowledge and preparation that McIndoe said companies should focus their travel risk management attention, and not as much on their reactive tactics after a crisis event.

Yet accidents, injury and illness can happen anywhere and at any time. This unpredictability requires continuous access to travel and traveler data, said McIndoe. "The richness of the traveler profile data is a great aide and typically is better than what you have in a company's human resources system," he said. "Access to those two information sources—the itinerary and the traveler profile—are of the greatest value to incident management."

Security's PreTrip Power

Not every company has a dedicated safety, security or risk management function. For those that do, a data sharing protocol ensures travel and security operate within their expertise without overlapping or oversharing.

"The travel manager keeps the agency systems and relationship up and running and the travel security manager keeps the travelers safe, working with our own systems or security partner," said Norges Bank travel security manager Ronny Saether. The travel data flows between the agency and security systems. "We need to talk with one another to ensure our policies are aligned, but when I reach out to travelers to mitigate risk, I never report back to travel about mitigation measures. I report back to the security director."

There are times, however, when security and travel need to collaborate outside the day-to-day protocols. Policy alignment is the foundation of that collaboration, as Saether noted, but it also touches supplier selection. 

Supplier Spot Checks

At most companies, security is unlikely to get involved in formal supplier sourcing exercises. They do, however, want to know the carriers and the hotels travelers plan to use for individual trips. Again, they are looking at itinerary data for this, and they are looking for questionable suppliers or any that may be restricted for security reasons. 

Ideally, an agency partner would stay alert to these issues and help prevent such bookings either with live agents following policy or with restrictions baked into the online booking tool. What could go wrong?

Lapses occur even with the best agency partners, and precious few companies configure true bans into their online tools. Moreover, not every local office may be covered by a company's agency partners or served with online tools, and travelers can be out of their depth when making complex bookings on their own. 

A communication from corporate security managers about unsafe travel plans may carry more gravitas than one from a travel management department, which may prod travelers with other types of messages or marketing nudges. 

Cardinal Heath global travel manager Jill Huffman told BTN in June that a year after moving Cardinal's travel program underneath the security function, security now weighs in on high-risk travel requests and travelers have taken notice with real behavioral changes. "It's easier and quicker for us to respond with security … if we need to reschedule their plans," she said.

Secure Sourcing Support

Some companies, however, do engage security for the travel sourcing process, particularly when it comes to hotel programs. Cardinal Health is one. Security gets involved in vetting partners in high-risk areas, according to Huffman. The World Bank is another. The organization travels to many locations precisely because other companies don't, and it is expanding security-focused sourcing to its entire hotel program. 

"We have now a lot more [security] integration to the travel program," said World Bank travel specialist Roman Neumeister. "In terms of hotel sourcing, we have added eight mandatory fire, life and safety questions in the hotel RFP. We had our hotel bidders conference and made it very clear: If your properties do not meet these mandatory requirements, you are automatically out.

"But these are requirements that travel should not and could not make on our own. We have to rely on the expertise of the security specialist to provide us with that information," he said.

On-trip Incidents & The Challenge of Travel Data

Even with pretrip protocols and security-oriented sourcing in place, traveler safety and crisis incidents do occur. The companies best equipped to respond are those that provide the most comprehensive view of travel activities to their security teams. 

Security leaders who spoke to BTN, however, lamented the challenges of working with travel data. 

"It can be quite difficult to ensure the quality of the data is good enough," said Saether. "The email address, the phone number in the wrong format," he said, referring to the traveler profile. "And then when you have a trip update or it's been rebooked, it can be a challenge to get that information fast enough. If they called the agency, we can get it quite fast. But if the traveler makes a change at the airport, we can lose control. … It may be they never went on the aircraft." Saether also mentioned travel's technical limitations with group travel can result in incomplete data.

None of these issues are new to travel managers, who struggle with them in several contexts: ensuring compliance to preferred suppliers, accurate data for negotiations or even identifying potential fraud situations with onsite ticket changes. In these contexts, driving channel compliance has been a critical focus. Travel managers may need to broaden their thoughts on compliance when it comes to supporting traveler safety and security. Indeed, fully understanding the impact incomplete travel data has on security efforts has caused some travel managers to rethink the framework of their programs.   

Does Consolidated TMC Data Deliver Enough Value to Security?

The first step toward data control for many programs is rationalizing the agency supplier base. Cardinal's Huffman underscored the benefit of appointing a single global travel agency. "There were a lot of agencies around the world, and some were not feeding at all into our security systems," she said. The World Bank's Neumeister echoed that experience, citing the bank's TMC consolidation effort as a critical move toward complete travel data. 

Yet, World Bank security operations center manager Sebastien Mateu said TMC consolidation isn't a full solution. There are times, he said, when travelers book directly on an airline or hotel website or an aggregator like Booking.com, so "we don't have access to that data." World Bank travelers also need clearance from in-country security personnel to travel to certain locations, but travelers tend to create workarounds for those permissions or even travel without them, he said. 

While the latter problem seems intractable, the security team has created a straightforward solution for the former: World Bank requires travelers to forward confirmations from their direct bookings to WorldAware, which automatically includes them in the trip data for security.

"I get a monthly report from WorldAware that shows me how many people actually do that. We have zero compliance," said Neumeister. "We continue to communicate about it. It's on our website and it's on security's website. When something happens, those people may say, ‘Hey, no one helped me.' They made it impossible for us to know where they are."

Mateu concurred. "The reality is that we have worked together long enough and bridged the gaps we can between travel and security to make our response faster and more proactive. What's left is the user. If they aren't forwarding their bookings, they aren't contacting in-country security for clearance or they're not updating their new cell phone number, it's very difficult to help them. Security is a shared responsibility, and the travelers also have to do their part." 

Off-Channel Options

ITW global travel manager Cathy Sharpe said visibility into business travel activity will never get to 100 percent, but she's using SAP Concur's TripLink technologies to incorporate similar email forwarding strategies to those employed by the World Bank. She said she's pushing past those limitations when travelers book direct with suppliers fully integrated into the TripLink ecosystem. 

"Security's message to me was that they were really challenged by the incomplete travel data," said Sharpe. "We had already moved down the TripLink path with the travel program. Pushing that data directly to [security partner] Healix has given us monumentally more data than what we were seeing in the past." 

Moves like this beg the question: Should travel managers compromise hard-fought program compliance to deliver increased value to their security stakeholders? It's been a slow burn, but sentiment may be shifting.

Once considered a travel program jailbreak, TripLink now counts 14,000 customers and 9 million active users, according to SAP Concur president Jim Lucier. He emphasized at The Beat Live conference in September that the underlying concepts of TripLink—namely, to capture supplier-direct bookings—had become mainstream for travel managers. Lucier cited a Concur poll fielded at the Global Business Travel Association convention this summer. 

"That GBTA poll asked [travel managers if they are] going to bring these leaked bookings into their travel program for data analysis. Seventy-one percent of travel managers said they planned to get these in within the next year," he said. 

Sharpe was one of TripLink's early adopters and has advocated consistently for travel managers to open their programs to bookings outside the TMC channel, as long as the data can be captured on the back end. "It's been the very best decision from a data perspective and from an economic perspective that ITW has ever made," she said. 

Regarding bookings with suppliers that aren't fully integrated into the TripLink universe, Sharpe said ITW travelers have been relatively motivated to forward their confirmation emails to TripLink for data capture. She acknowledged, however, that "until every supplier is brought into TripLink, there will be issues" with visibility. 

Other suppliers are looking to close the email-forwarding gap. Traxo offers off-channel data capture technology and is building a universe of direct supplier participation into a product called Traxo Connect. Currently the company has only a handful of travel suppliers in its marketplace, but it also pushes an email system rule integration that automatically forwards travel confirmations to its data parsing tools. The rules eliminate the need for travelers to forward their confirmations, and once the data is restructured, Traxo passes it to security partners. 

There's a sentiment among travel managers that the email system integration could be too invasive for their companies to adopt. Traxo minimizes those requirements in its marketing. How the value of the data is positioned to the corporation could matter in making such decisions—is it a play for travel data or a play for human security? Is one business reason more compelling than the other? 

Getting More Strategic with Security

The symbiotic relationship between travel and security is clear. Yet, travel also has a stake in the security team's ability to deliver. Of course, there's an interest in preparing travelers for risky trips. At its most intense moments, however, travel relies on security for rapid and thorough responses to travel crises. These are the moments when all the data, collaboration and preparation mean the most. Both the travel and security teams have a stake in ensuring procedures work as well as they can. 

WorldAware's McIndoe is part of an industry work group that has shaped a five-level travel risk management maturity model. Level 5 is considered "optimized," said McIndoe, and is characterized by a TRM strategy that undergoes continuous review against defined metrics to understand the impact of travel emergencies and to refine response times and procedures accordingly. Asked what metrics companies should be looking at, however, McIndoe demurred. 

"Our workplan is exactly that—let's get those [metrics] down and get discourse going within the industry around what are the right metrics vis a vis [TRM] effectiveness and efficiency," he said. Barring exact metrics, he continued, outcomes are the most important factor to look at right now.  

"Companies should look at every incident that occurs with any traveler and break each one down to determine if it was a health, safety or security issue or not," McIndoe said. "If not—if it is actually an issue with travel process or procedure, like not having the correct visa—the remedy should stay with the travel department. If it is [a health, safety or security issue], the company should look deeper to see how the incident occurred. They should go through the model, from policy to procedure, enhanced training … where did the gap occur? And then fix it.  

"The general tempo is that a composite view of incidents should be looked at on a monthly to quarterly basis depending on the size of the program. From those incidents, you triage down the typical risk spectrum. Figure out what are some [risks] you should focus on. For a major incident there should be an immediate after-action review."

What McIndoe describes is similar to Sharpe's "case-by-case review" strategy at ITW.

"ITW travel and security teams have established a tree of authority that makes decisions based on emergency procedures," she said. "Otherwise, we do quarterly reviews to ensure anything that has been an issue was taken care of. We review how it was taken care of and whether we need to do something different next time."

Through this process, ITW has worked with its TRM provider to create a different emergency notification and response system for travelers. It has also elevated the level of authority its TRM partner has to move forward with a response without explicit approval from an ITW executive. "This was a joint decision between travel and security. It has reduced our decision-making times and allowed ITW to be more thorough in these situations."

Sharpe added that ITW has not experienced large-scale travel emergencies. Asked if she felt ITW's travel and security teams were prepared for one, she confidently said, "Yes." 

McIndoe stressed that regular reviews position companies to be ready when a situation does arise. "TRM has to be part of the company's culture, not just a task assigned to travel. It requires principles to be applied just like other areas of the business. Without that, the collaboration between travel and security becomes stagnant."