Common ISO 31030 Compliance Gaps & How to Fix Them
ISO 31030 has become the benchmark against which travel risk management programs are measured; however, benchmarking only adds value if you know where to look for gaps. In our work auditing and enhancing TRM programs across sectors and geographies, we encounter the same ISO 31030 compliance gaps with striking regularity.
This article documents the most common such gaps and offers recommendations on how to bridge them for teams of any size.
A NOTE ON WHAT “COMPLIANCE” MEANS HERE
ISO 31030 is guidance, not a certifiable standard. There is no official ISO 31030 “standard certification” body, and no credentialed auditor will arrive to stamp your program as compliant or non-compliant. What the guidance provides is a rigorous, internationally recognized framework against which your program can be honestly assessed.
When we refer to “compliance gaps” in this context, we mean areas where an organization’s TRM program falls meaningfully short of what ISO 31030 recommends, leaving people less protected and the organization more exposed than it should be.
GAP 1: A TRM POLICY THAT EXISTS ONLY ON PAPER
What we see: The organization has a travel risk management policy, often a well-formatted document that mentions duty of care and references applicable regulations. However, most travelers have not read it, and management does not refer to the policy to guide decisions. The policy has not been communicated effectively, is not applied consistently, and/or has not been updated since it was first drafted.
Why it matters: ISO 31030 is explicit that policy must be not only documented but actively communicated and implemented. A policy that lives in a shared drive folder is not a functioning policy. It provides legal cover in the narrowest sense while offering virtually no actual protection.
How to fix it:
- Conduct a policy review against ISO 31030’s recommended content areas; most legacy TRM policies omit significant risk categories
- Establish a formal communication plan: who receives the policy, when, and how its contents are confirmed
- Build policy acknowledgment into onboarding and pre-travel processes, not just annual compliance sign-offs
- Set a review cadence: at minimum annually, or following any significant incident or organizational change
GAP 2: RISK ASSESSMENT THAT RELIES ENTIRELY ON GOVERNMENT TRAVEL ADVISORIES
What we see: When asked how destination risks are assessed, the answer is invariably some variation of: “We check the [government] travel advisory.” No additional intelligence sources, no threat-specific analysis, no consideration of the organization’s particular profile or activities in that location.
Why it matters: Government travel advisories are broad, conservative, and often weeks or months behind rapidly evolving threat environments. They are designed for general audiences, not for an organization operating in a specific sector, with specific staff profiles, in specific parts of a country. ISO 31030 calls for a rigorous, organization-specific risk assessment methodology.
How to fix it:
- Develop a documented risk assessment methodology that accounts for destination-specific threats (security, health, environmental, political, cyber, etc), the organization’s operational profile, and traveler-specific factors such as nationality, role, and experience
- Supplement government advisories with commercial threat intelligence sources, in-country networks, and sector-specific reporting
- Establish clear escalation thresholds: at what risk level does travel require senior approval? When is it suspended entirely?
- Ensure early-warning mechanisms are in place so that risk assessments are updated when conditions change, not just before a trip is booked; for instance, is anyone monitoring incident feeds?
GAP 3: NO MEANINGFUL PRE-TRAVEL BRIEFING PROCESS
What we see: Travelers are either not briefed at all before departing, or else sent a generic email with links to a few resources they simply won’t read. There is no structured process for ensuring that travelers understand the specific risks they face, the protocols that apply to them, or what to do if something goes wrong.
Why it matters: ISO 31030 places significant emphasis on traveler preparedness as a core component of any TRM program. The rationale is straightforward: even the best back-end systems, including tracking platforms, 24/7 response lines, evacuation coverage, are degraded if the traveler doesn’t know how to use them or what behaviors are expected of them in the field.
How to fix it:
- Consider tabletop scenarios or practical exercises as part of the briefing process
- Develop tiered pre-travel briefing content calibrated to destination risk level: low-risk travel might warrant a streamlined digital briefing; high-risk travel should involve a substantive conversation with someone who knows the environment
- Briefings should cover, at minimum: destination-specific risks, in-country protocols, emergency contacts, check-in procedures, and available support resources
- Record and verify that briefings have occurred, both for program management purposes and for liability reasons
GAP 4: FRAGMENTED OR NON-EXISTENT TRAVELER TRACKING
What we see: The organization cannot say with confidence where its travelers are at any given moment. Itineraries are scattered across individual inboxes, booking tools, and spreadsheets maintained by assistants. When asked to locate a traveler in an emergency, the process involves a chain of phone calls and educated guesses.
Why it matters: ISO 31030 is unambiguous: organizations need to know where their travelers are. This has become a foundational requirement for any meaningful incident response capability: you cannot assist a traveler in difficulty if you don’t know where they are.
How to fix it:
- For remote or high-risk environments, consider GPS-enabled tracking and satellite communication devices where cellular coverage cannot be guaranteed
- Centralize itinerary capture in a single system, whether a dedicated travel risk platform or a well-governed internal tool, and enforce its use, disincentivizing trips booked outside the system
- Integrate booking channels where possible so that itinerary data populates automatically rather than relying on manual updates
- Establish clear check-in protocols for travel to elevated-risk destinations: how often, through what channel, what the escalation procedure is if a check-in is missed, and who will ultimately be held responsible
GAP 5: INSURANCE COVERAGE THAT DOESN’T MATCH ACTUAL EXPOSURE
What we see: The organization has standard business travel insurance. However, on closer inspection, the plan actually excludes medical evacuation from high-risk destinations, contains war and civil unrest exclusions that apply to the very environments the organization operates in, and has no kidnap, ransom, and extortion (KR&E) coverage despite staff traveling to regions where that risk is material.
Why it matters: ISO 31030 addresses risk transfer explicitly, and insurance is the primary mechanism. But insurance only works as a risk transfer tool if the coverage actually matches the exposure. Discovering a gap in coverage during an incident is one of the most costly and avoidable failures in travel risk management.
How to fix it:
- Ensure travelers know what their coverage includes and how to access it; an insurance policy that travelers can’t activate in an emergency is not much better than no policy at all
- Conduct a coverage review against your actual operational footprint: where do your people travel, what do they do there, and what scenarios are plausible?
- Pay particular attention to medical evacuation coverage; the cost of an uninsured medevac from a remote or high-risk location can be catastrophic
- Evaluate whether KR&E coverage is appropriate given your destinations and traveler profiles; this is often underutilized by organizations that would genuinely benefit from it
GAP 6: INCIDENT RESPONSE THAT HAS NEVER BEEN TESTED
What we see: The organization has documented incident response procedures: a crisis management plan, an emergency contact list, defined roles and responsibilities. But none of it has ever been exercised. The first time the plan is activated, it will be in a real incident, with real consequences, and the gaps will become apparent at the worst possible moment.
Why it matters: ISO 31030 emphasizes not just the existence of incident response plans but their operational readiness. Plans that have never been tested contain assumptions that have never been validated, such as beliefs about who is available, what tools actually work, how long procedures actually take, and whether the people responsible for executing them actually know what to do.
How to fix it:
- Schedule annual tabletop exercises that simulate realistic incident scenarios relevant to your operational environment: a traveler hospitalized in a country with poor healthcare infrastructure, a civil disturbance requiring evacuation, a traveler who has gone out of contact
- After each exercise, conduct a structured debrief to identify gaps and update plans accordingly
- Ensure that response responsibilities don’t sit with a single individual whose absence would create a critical failure point; build redundancy into your response structure
- If 24/7 response capacity is not achievable in-house, consider whether a contracted assistance provider is appropriate
GAP 7: NO FEEDBACK LOOP FROM TRAVELERS
What we see: The TRM program generates outputs, such as briefings, policies, tracking systems, but receives very little input from the people it’s designed to protect. Travelers are not systematically debriefed after travel. Their observations about ground conditions, the usefulness of pre-trip information, and any incidents or near-misses they experienced are never captured.
Why it matters: ISO 31030 treats traveler feedback as a core component of program improvement. This makes intuitive sense: travelers are the organization’s primary source of ground-truth intelligence about whether the program is actually working.
How to fix it:
- Implement a post-travel debrief process, scaled to the risk level of the journey: a simple digital survey for routine travel, a structured conversation for complex or high-risk trips
- Create a clear channel for travelers to report near-misses, safety concerns, or gaps in the support they received, and make clear that such reports are welcomed, not discouraged
- Review traveler feedback systematically and integrate findings into program updates on a regular cadence
- Close the loop: when traveler feedback leads to a program change, communicate that change back to the traveler population so that people feel their input matters
GAP 8: TRM OWNED BY ONE PERSON WITH NO ORGANIZATIONAL BACKUP
What we see: Travel risk management sits with a single individual: a security manager, a travel manager, or sometimes a senior executive who has accumulated the responsibility over time. When that person is unavailable, on leave, or leaves the organization, the program effectively pauses. There is no documented succession, no cross-trained backup, and no institutional knowledge that survives beyond one person’s tenure.
Why it matters: ISO 31030 requires that TRM responsibilities be clearly assigned and that the program be embedded in the organization’s governance structure, not dependent on individual heroics. Single points of failure are a structural vulnerability, and they tend to be exposed at the worst possible time.
How to fix it:
- Engage HR, Legal, and senior leadership in TRM governance so that the program has institutional anchoring beyond a single role
- Document TRM roles and responsibilities formally, including who provides cover when primary owners are unavailable
- Cross-train at least one backup for each critical TRM function
- Ensure that key information, including vendor contacts, platform credentials, policy documents, and response procedures, is stored in shared systems accessible to authorized backup personnel, not in individual email accounts or local drives
TURNING ISO 31030 Compliance GAP ANALYSIS INTO ACTION
The gaps described above are common precisely because they’re easy to overlook until they’re not. A well-functioning TRM program requires ongoing attention, not a one-time implementation effort.
The most practical starting point for most organizations is a structured audit: a systematic review of your program against ISO 31030’s recommendations that produces a prioritized remediation roadmap. Our guide to conducting a travel risk management audit walks through exactly how to approach that process, while our travel risk management framework article provides the structural foundation it’s built on.
