Duty of Care for High-Risk Travel: What Organizations Get Wrong Before Anyone Gets On a Plane

When I left Special Forces after twenty years and took a position as a Business Continuity Analyst at a major financial institution, one of the first things that struck me was how little the corporate world understood about managing risk to people operating in difficult environments.  The frameworks existed on paper and the policies looked reasonable in a binder.  But the gap between what was documented and what would actually protect someone moving through a genuinely hostile environment was significant.

That observation stayed with me when I transitioned into executive protection work, including assignments in Mexico, where the threat environment is not theoretical.  Kidnapping, carjacking, and targeted violence against high-net-worth individuals and corporate personnel are operational realities in certain regions, not worst-case scenarios to be footnoted in a travel policy.  Organizations that send people into those environments without a genuine duty of care framework are not just taking a risk.  In many cases they are taking a legal one.

What Duty of Care Actually Means

Duty of care is a legal and ethical obligation that requires organizations to take reasonable steps to protect the health, safety, and security of their employees, particularly when those employees are travelling or operating on behalf of the organization.  It is not optional and it is not limited to domestic environments.

In the United States, the OSHA General Duty Clause requires employers to provide a workplace free from recognized hazards that are likely to cause serious harm. Courts have consistently interpreted this to extend beyond the physical workplace to environments where employees are sent to conduct business.  Internationally, ISO 31030, the global standard for travel risk management, provides a structured framework for how organizations assess, communicate, and mitigate risk to traveling personnel.  Organizations that ignore these standards do not eliminate their liability.  They simply eliminate their defense.

Despite this, a significant number of organizations treat duty of care as a compliance checkbox rather than an operational discipline.  A travel policy gets written, a security briefing gets emailed, and the assumption is made that the obligation has been met.  It has not.

What a Real Framework Looks Like

The foundation of any serious travel risk management program is threat assessment that is specific to the destination, the traveler’s profile, and the nature of the work being conducted.  General country-level risk ratings are a starting point, not a methodology.  A corporate executive traveling to a major hotel in a capital city for a two-day conference faces a meaningfully different threat profile than a procurement manager traveling to a secondary city to visit a supplier facility.  Treating those trips identically because they share a country code is not risk management.

Beyond assessment, a genuine framework includes pre-travel briefings that are tailored and substantive rather than generic, communication protocols that establish regular check-ins and clear escalation paths if contact is lost, in-country support that is appropriate to the threat environment, and a medical and emergency response capability that has been verified rather than assumed.  It also includes post-travel debriefs, which most organizations skip entirely, despite the fact that returning travelers are often the best source of ground truth intelligence about whether the threat picture has changed.

Research from Gallup consistently documents that employees who feel their organization genuinely cares about their safety demonstrate significantly higher engagement and are more likely to report concerns before they become incidents.  The human dimension of duty of care is not separate from the operational one.  They reinforce each other.

Who This Applies To

The organizations that most consistently underestimate their duty of care exposure tend to fall into predictable categories.  Manufacturing companies with supplier relationships in challenging regions, energy companies with field operations in politically unstable areas, and professional services firms whose consultants travel extensively to client sites in markets with elevated security risks.  Any organization that moves people internationally as a routine part of operations is carrying out duty of care obligations whether or not those obligations have been formally acknowledged.

The legal exposure when something goes wrong and an organization cannot demonstrate that reasonable precautions were taken is substantial.  More importantly, the human cost of getting it wrong is not recoverable.

What Getting It Right Actually Requires

My career has taken me from operating in hostile environments as part of a Special Forces Operational Detachment Alpha (ODA), to sitting inside a major financial institution trying to apply corporate risk frameworks to problems those frameworks were not designed to solve, to conducting executive protection operations in some of the most challenging environments in the Western Hemisphere.  The consistent thread across all of it is this: the organizations and teams that kept people safe were the ones that did the work before anything happened, not the ones that responded well after it did.

Duty of care for high-risk travel is not a legal formality.  It is an operational discipline that requires the same kind of deliberate, pre-incident thinking that effective security work demands in any context.  If your organization sends people into difficult environments and your current framework is a travel policy and a country risk rating, that gap is worth closing before it becomes relevant under circumstances where closing it is no longer possible.

At Convoy Group, pre-travel threat assessment and duty of care consulting are core to what we do.  If you want to understand what a real framework looks like for your organization’s specific exposure, that conversation is worth having.