Working Together: Travel Managers & Security Managers

There's a new conventional wisdom in town: Wherever risk management lives within the company structure, travel management and security both should have a seat at the table. So BTN decided to gather some security managers and travel managers at our own roundtable to talk about how the two functions interact in the name of travel risk management. BTN managing editor Amanda Metcalf spoke with:

BTN: Cindy, the way travel and security work together at Regeneron has evolved quite a bit since you joined the company. Travel wasn't involved in risk management at all before, right?

Cindy Shumate: When I got here a year ago, there was a small group, which consisted of the head of global security and then two people from HR, working with our risk provider. They thought they had integrated completely with a [passenger name record] data transfer, but it sort of fell on deaf ears because it just wasn't connected with the travel aspect; the two messages were somewhat disconnected. All of a sudden, here I come. I've worked very closely with two different travel risk providers [when working at Estee Lauder and Princeton], and it's been a very integrated message. So I hopefully gracefully inserted myself, and we started talking about the fact that this focus on travel risk comes out of the fact that people are traveling. We have a natural reason to get together and talk about this and develop this program together.

BTN: What else is changing now that you've pulled up a chair?

Shumate: [Two months] ago, our head of security contacted our [risk management] provider, and now they're doing a complete assessment of our view of travel risk. Hopefully this assessment will take us several steps closer on that maturity waterfall. Interestingly, on March 22 when we had a need to turn to our [risk management] provider, they told us that out of 625 PNRs that had been transferred from our TMC into their system, 621 were lacking email addresses and cell phones. We've been doing this data transfer without the essential pieces of information for contacting our folks. As I've been working with the TMC, too, I've discovered some gaps in what had been requested in HR feeds. Folks didn't really understand what data was necessary and where it came from and how you had to request the critical fields going from one profile system into another.

Mauro Ruggiero: We were running into the same problem maybe a year ago. We now have the feed from our HR tool into our TMC, which keeps our profiles fresh and deletes profiles that are no longer necessary and keeps all the contact info. And then from our TMC, it goes into our security firm, so it's been able to fill in the gaps.

BTN: As Cindy told that story about that data breakdown, what were you guys on the risk side thinking?

Dan Gallagher: Listen, been there, done that. When I first started at AIG, we didn't have anything—we didn't even have a common booking tool—probably seven or eight years ago. We didn't even have an ability to recall or even govern where our people were going.

BTN: So how integrated are the risk and travel roles now?

Gallagher: We are tied at the hip. It starts with a fit-for-purpose travel policy, and for that to work to the level that is expected today for a large company during an incident like London, it starts with the proper integration of the travel information, but there's a lot more to it. For us, it's a very holistic program that requires several components of our team to monitor and recall, but it's also that upfront travel policy to try and prevent us from ever being in a situation like that, then be able to understand where our people are, reach out and touch them either with a message or physically get on the ground. It's very closely aligned with our HR groups, as well as with our travel groups.

BTN: Tracy, you're also on the risk side. Do you have an active counterpart in the travel program? Do you sit down and meet with someone?

Tracy McPike: That is Kirsten Jackson. We are now hiring ISOS. [The decision to hire a risk management provider] came from travel. We collaborated with our HR department, our law department. All three of us in risk management were there. Our security facilities director was there.

We hedge bets for a living, and that's the approach that we took. It was a risk-based financial approach to getting this organization to prioritize … data quality that we rely on for our travel management systems."

AIG's Dan Gallagher

BTN: Kathy, what about at NetApp?

Kathy Rust: Our risk management team and travel team and safety and security all work hand in hand. Risk management actually owns the relationship with ISOS. We collaborate in addressing issues and coming up with policy and direction to travelers. Travel generally facilitates the messaging to travelers and to our TMC, while a lot of decisions are made by risk management, legal, HR and so forth.

BTN: It's always been that way?

Rust: I've been at NetApp for seven years. When I started, risk management actually was a part of safety and security. Over time, risk management got split off and travel got split off, but the three have continued to stay in good touch and collaborate on communication.

BTN: It sounds like for everyone here, the travel management and risk management roles are making decisions together or consulting each other. What prompted these positive relationships?

Shumate: March 22 in London was a really great moment to emphasize that we needed some protocol in place. The head of security and I said, "OK, the next time something happens, you and I must be on the phone with each other immediately. The rest of this team—we need to coalesce so that then we can build our plan from there." But to set up protocols to severity levels—what do we do when it's extreme versus something that's not so extreme—we're back at Step One to build the program and the integrations and when do we need ISOS to support us and all that kind of stuff. Sounds like we've all come through that evolution.

Ruggiero: Oh yeah.

Rust: We have always worked together, but we have had incidents happen in the seven years that have underscored the need to refine processes. A few weeks after I started, we had the [Icelandic] volcano ash cloud incident [that disrupted air travel in Europe for six days], and that forced us into collaborating with [our risk provider] to find all our travelers and get them home safely, and so we improved our processes after that. And then when the tsunami hit in Japan and we had to look at continuity of business and the risk to our employees in Japan, we worked with risk management and put in protocols that continue to this day. We're getting better and better over the years, and that has taken a concerted effort.

BTN: Mauro, you oversee both travel and risk at Misys. How did that come to be?

Ruggiero: When we started with the integration of ISOS, we knew it was important to get the bookings into their systems, make sure the data we were transferring was accurate. We don't run a big shop—it's really just me and one other person based in Dublin—so we took it over because we were going to be able to control it. Now, we have pre-travel emails that go out from ISOS if a country [has a risk rating of] 3 or higher. The TMC will not be allowed to book travel to certain countries, so it comes to our team and then we basically dive in and make sure that the traveler is aware of the dos and don'ts and give them the information via ISOS. It just made sense to all be handled by the travel team.

[When the March 22 London attack occurred], out of 625 PNRs that had been transferred from our TMC into [our risk management provider's system], 621 were lacking email addresses and cell phones."

Regeneron Pharmaceuticals' Cindy Shumate

BTN: How about working with HR? Any roadblocks there?

Ruggiero: They don't really understand travel, and then on top of it they don't always understand risk. Most of the time, we have HR involved only if it's a long-term assignment. We try to keep them out of it as much as we can. You get mixed messages going back and forth to the travelers, so we try to have the travel team deal with the majority of it.

Shumate: HR here was referring to travel risk and the partnership with ISOS as a benefit. They weren't really thinking that travel needed to be involved because it was really just a voluntary benefit [for the travelers to be] able to get the alerts or to travel with that card and the phone numbers. I came into the conversation [to help them realize] that the data was coming from the travel side and that in any one of these instances, it would be our TMC partner who should be working with the travelers to then assure that we can reposition and get them back when their initial itineraries are disrupted. There [can be] a misperception that ISOS would take care of it. They will if that's part of your relationship with ISOS, but it's probably not the most expedient.

Gallagher: The data quality has to be prioritized. Risk managers and security personnel, travel personnel have done a lot here in the United States of helping organizations understand what their duty to care for their employees actually entails. The liability that a company takes on when it deploys personnel for business travel is a very real thing. I work for an insurance company. We hedge bets for a living, and that's the approach that we took. It was a risk-based financial approach to getting this organization to prioritize these things, which led groups like HR to prioritize things like data quality that we rely on for our travel management systems.

BTN: Any other ways that you guys interact with your counterparts?

Gallagher: I hate to plug this, but: utilizing risk and their expertise to ensure you're purchasing the right [insurance] coverages with the right services for your organization. That gives you an ability to build an infrastructure and policy around it.

Return to Taking on Travel Risk Management