There has been increasing chatter in the travel and lodging fraternity about the upcoming issue of ISO31030 Travel Risk Management – Guidance for Organisations. NPI welcomes ISO31030 because as we have previously commented. It is surprising how many well know companies struggle with Travel Risk Management and we have issued blog posts advising on establishing effective Travel Risk Management programs. The ISO is a timely wake-up call for hotel companies by demonstrating that businesses are taking more interest in their duty of care to protect their travellers. It is also evidence that hotel companies need to do more to provide reassurance to companies that they take security seriously.
The ISO will be attractive to companies because they will be able to use the ISO to mitigate against potential liability connected to company travel by demonstrating that they have complied with ISO 31030. The standard will also be welcomed by those companies offering hotel ‘vetting services’ who are surely counting on the standard to drive business and perhaps offer opportunities to support wider Travel Risk Management
The current draft section on ‘Accommodation Selection’ and the supporting Annex C – ‘Accommodation Concerns for High-Risk Locations, is of particular interest to hotel companies whose sales to corporate clients may be held hostage to ‘appropriate, objective, qualified vetting’. We hope ISO see the potential for this and review further before confirming the final version. The draft standard suggests in Annex C that such vetting will be conducted by ‘third party security & and intelligence providers’ ‘utilising trained and qualified staff’.
It is worth stating here that NPI does not have a ‘dog in this fight’. We seek to assist hotel companies and their hotels to build security, safety, and resilience capability rather than judge them, but we do wonder what does ‘trained and qualified’ mean? we do not normally conduct hotel level audits. We do, however, wonder what ‘trained and qualified’ means: does it refer to individuals who have a comprehensive understanding of hotel operations, who understand the culture and the complex ownership and management matrix? These matters are essential elements that give context to understanding hotel security. For example, whilst at IHG we employed a well-known intelligence and security company to conduct ‘appropriate, objective and qualified ‘vetting’ of a large hotel in a high-risk area. The individuals they deployed were undoubtedly security qualified but had little knowledge of hotel operations and so many of their recommendations, whilst theoretically correct, were unworkable because they would disrupt hotel operations and failed to align with the business or the needs of corporate guests. We stopped using such companies, recruited more staff and did it ourselves.
There are many companies out there claiming to have expertise in hotel security, but buyer beware: companies that truly have the experience and expertise to judge hotel security within context are few and far between. Vetting’ companies whose only evidence of hotel experience is a statement that they have done ‘loads of hotels’; a deeper dive into their credentials is important. A big name is no guarantee of relevant capability. Finding a company that understands hotels is vital. These companies will be more readily accepted by hotels and will be able to deliver value to both hotel and corporate client. The hotel security ‘pretenders’ will more likely antagonise hotels with their lack of operational understanding. I cannot remember the number of complaints I received at Head Office from hotels complaining that they had had company X sniffing around the property demanding sensitive information and generally upsetting people with their lack of understanding and ‘high handedness’. So who and how will ‘accredit’ third-party vetting companies and ensure the quality of their work? – ‘who will police the police’?
The areas of consideration in Annex C are all valid but are somewhat ‘thin’; the large hotel companies will have high-risk security requirements that far exceed Annex C specifications. In short, Annex C misses a critical point that is so often overlooked: hotel security is only as good as the management, leadership and buy-in of senior leadership to the security program. Hotels can have all the security equipment in the world but if it is not integrated with people, procedures and other security resources, its effectiveness will be seriously compromised. This is where having an understanding and experience of hotel operations comes into play.
A key question is whether the suggested ISO Accommodation Selection process will drive focus on compliance rather than capability, to confuse the two is a mistake.
Before expending large amounts on third party ‘vetting’ services, Travel Risk Managers should engage with hotel company’s corporate security teams, where such exists. In this way, an understanding of the company’s security ‘controlling mind’, security risk management programs, compliance regimes and crucially culture can be gained. Where corporate security teams do not exist, the rationale for 3rd party security assurance hotel visits becomes much stronger. For hotels operating in high-risk areas, the corporate security teams, where they exist, will be able to supply the information required by Annex C and produce evidence of standards compliance through internal checks and audits. Third-party spot checks can support corporate security teams by providing independent assurance and capacity enhancement where corporate resources are limited. . A balance needs to be struck because a large hotel could have 10s of major corporate clients, can you imagine how hotels would respond to a ‘blizzard’ of third-party audits from each of their major clients? They will most likely dig their heels in and resist.
It is good to see that the standard highlights the issue of managed/owned/franchise; this is a key issue. I used to be concerned when I learnt that a franchise hotel was to be built in a high-risk area because hotel companies have limited control or oversight of franchise hotels. I fully support the concept of third-party vetting of franchise hotels operating in high-risk areas because the hotel companies are largely unable to do it themselves. A case could be made for third party safety and security ‘vetting’ of franchise hotels in medium risk areas as well.
Equally, there is a place for third party engagement with managed hotels, where clear and added value to the managed hotel corporate security function is evident.
So, ISO 31030: a good start and a step in the right direction and we await the final version. Well done to the team in general, but certainly, the Accommodation Selection has development opportunities. I do wonder what hotel company corporate legal teams will make of it.
Questions for Consideration:
- Are you sure that the third-party hotel vetting company is up to the job?
- Does your Travel Risk Management team have enough security expertise to constructively engage with hotel company security teams and security vendors?
- Are there gaps in your travel risk program that may prevent you from reaching the standard?
- Do you need assistance building robust and effective travel risk management programs and implementing the standard?
With over 50 years experience leading corporate security at some of the world’s largest hotel groups NorthPoint International has supported hotels in preparing for almost every event imaginable from global heads of state summits to the Olympics. How can we help you ensure you’re organization is ready for ISO 31030?