ISO 31030 Compliance: What Travel Risk Management Actually Requires

In 2023, a European NGO faced a lawsuit after a staff member was injured during a protest in Addis Ababa. The organization had travel insurance. They had a two-page security policy. They even had a check-in procedure. But when the plaintiff's attorney asked for documented evidence of a pre-travel risk assessment, current threat monitoring, and tested emergency communication, the NGO had nothing. The case settled for seven figures.

ISO 31030 exists precisely because of cases like this. It sets out what a travel risk management program should look like, not in theory, but in the kind of documented, demonstrable practice that holds up in court.

What ISO 31030 Is and Why It Matters Now

Published in September 2021, ISO 31030 is the first international standard dedicated to travel risk management. It's part of the broader ISO 31000 risk management family, but it addresses the specific risks associated with people traveling for work.

A few important things to understand upfront:

• It's guidance, not certification. Unlike ISO 27001 (information security) or ISO 9001 (quality management), you can't get "ISO 31030 certified." There's no audit body, no certificate to hang on the wall. It's a guidance standard, a framework for building and evaluating your TRM program.
• It's becoming the legal benchmark. Courts and regulators increasingly reference ISO 31030 when evaluating whether an organization met its duty of care obligations. Lawyers on both sides of travel-related litigation use it as the measuring stick. If your program aligns with ISO 31030, you're in a strong position. If it doesn't, you're exposed.
• It applies to all organizations that send people across borders. Not just corporates. NGOs, universities, government agencies, media organizations, anyone with duty of care obligations to traveling personnel.
• Donor requirements are catching up. Major institutional donors. USAID, DFID/FCDO, the EU, are increasingly asking implementing partners to demonstrate alignment with ISO 31030 or equivalent standards in their security management plans. This isn't universal yet, but the trend is clear.

The 5 Key Requirements Organizations Miss

Most organizations that claim to manage travel risk are missing at least three of these five requirements. They're not hard to meet, but they require intention and documentation.

1. A Formal Travel Risk Management Policy

Not a paragraph in the employee handbook. A standalone policy document that defines:

• What constitutes "travel" under the policy (does a commute count? a local field visit? a conference in a neighboring country?)
• Roles and responsibilities, who approves travel, who conducts risk assessments, who manages incidents, who reviews the program
• Risk tolerance thresholds, at what level of risk does travel require escalated approval or get denied
• Legal and regulatory obligations specific to your industry and jurisdictions

The policy doesn't need to be 40 pages. It needs to be clear, current, and accessible to everyone who travels or manages travelers. Most organizations either don't have one or have one that hasn't been updated since it was written.

2. Continuous Risk Assessment

This is where most programs fall apart. ISO 31030 doesn't expect you to assess risk once and file it. It expects ongoing monitoring of the threat environment at each destination where your people travel.

"Continuous" means your risk assessments reflect current conditions. If your team is traveling to Bamako next week, the assessment should include this week's protests, this month's military operations in the north, and yesterday's fuel shortage that's causing road blockages in Koulikoro. A risk assessment from January doesn't protect your traveler in February.

The practical requirement: a monitoring system that tracks evolving threats at your travel destinations and feeds that information into your pre-travel approval process. This can be a human analyst checking sources daily, or a technology platform doing it continuously. But it can't be a quarterly PDF.

3. Traveler Preparedness

ISO 31030 expects organizations to prepare travelers for the specific risks they'll face. Not a generic security awareness module. Specific, destination-relevant briefing material.

What that looks like:

• Current threat briefing for the destination, including local risks the traveler might not be aware of
• Emergency contacts, not just a general helpline, but the specific people and numbers relevant to that destination
• Communication plan, how to check in, how to report an incident, what to do if comms go down
• Medical preparation, required vaccinations, prophylaxis, location of nearest hospitals, medical evacuation procedures
• Cultural and legal considerations, laws that might affect the traveler based on their nationality, gender, or role

The standard expects this to be documented and delivered before departure. "We told them to be careful" doesn't meet the bar.

4. Incident Management Procedures

When something goes wrong, how does your organization respond? ISO 31030 expects documented, tested procedures for:

• Establishing contact with affected travelers
• Assessing the nature and severity of the incident
• Making shelter-in-place or evacuation decisions
• Activating pre-arranged security and medical support
• Communicating with families, leadership, and relevant authorities
• Logging decisions and actions for post-incident review

The key word is "tested." A crisis management plan that's never been exercised is a theory, not a plan. ISO 31030 expects tabletop exercises and communication tests. When your security manager's phone rings at 3 AM because a staff member was in a car accident outside Lusaka, that's not the time to read the crisis management plan for the first time.

5. Program Review and Improvement

ISO 31030 treats travel risk management as a cycle, not a project. The standard expects regular review of:

• Incident data, what happened, what worked, what didn't
• Near-miss analysis, what almost happened, and how to prevent it
• Traveler feedback, what did they experience that wasn't in the briefing?
• Program effectiveness, are the processes being followed? Are they producing the intended outcomes?
• Vendor and tool performance, is your intelligence provider delivering timely, relevant information?

Annual review at minimum. Quarterly is better. After any significant incident, immediately.

How ISO 31030 Connects to Duty of Care

Duty of care is the legal obligation to take reasonable steps to protect employees from foreseeable harm. It's not optional. It exists in every jurisdiction, though the specifics vary.

ISO 31030 operationalizes duty of care for travel. It answers the question: "What does reasonable care look like when you send someone to a dangerous place?"

The connection matters in three scenarios:

Litigation

When an employee or their family sues after a travel-related injury or death, the central question is whether the organization took reasonable precautions. ISO 31030 provides the framework courts use to evaluate "reasonable." Did you assess the risk? Did you brief the traveler? Did you monitor conditions? Did you have a response plan? If yes, and you can prove it, your legal exposure drops significantly. If no, you're defending the indefensible.

Regulatory Compliance

In the UK, the Corporate Manslaughter and Corporate Homicide Act 2007 holds organizations liable for deaths caused by gross management failures. Health and Safety Executive guidance explicitly references the need for travel risk assessment. In Germany, the ArbSchG (occupational safety law) extends employer duty of care to international assignments. Similar frameworks exist across the EU, Australia, and increasingly in Africa and Asia.

ISO 31030 alignment gives you a defensible answer to any regulator asking: "What did you do to protect this person?"

Donor and Contractual Requirements

For NGOs, duty of care isn't just a legal obligation, it's a funding condition. USAID's Automated Directives System (ADS 527) requires implementing partners to maintain security management plans. The EU's Framework Partnership Agreement includes requirements for staff safety. DFID/FCDO evaluation criteria increasingly reference international standards for travel risk management.

An ISO 31030-aligned TRM program gives you a strong answer in every proposal, audit, and compliance review.

What Auditors Actually Look For

While there's no formal ISO 31030 audit process, organizations that adopt the standard often face scrutiny from insurance auditors, donor compliance teams, legal counsel during due diligence, and internal audit functions.

Based on what these reviewers typically examine:

1. The policy itself. Does it exist? Is it current? Has it been approved by senior leadership? Is it accessible to travelers and managers?
2. Risk assessment evidence. Can you show a documented risk assessment for the last five high-risk trips? Not a template, a completed assessment with current threat data, specific to the destination and travel dates.
3. Traveler briefing records. Can you demonstrate that each traveler received a destination-specific briefing before departure? Signatures, email confirmations, or training records.
4. Monitoring capability. What system do you use to track emerging threats at destinations where your people are currently traveling? Show the tool. Show the alert logs. Show the escalation chain.
5. Incident response documentation. For any incidents that occurred, show the log. Timeline of events. Decisions made. Rationale. Outcome. Lessons learned.
6. Review records. When was the TRM program last reviewed? What changed as a result? Can you show a trend of improvement?
7. Communication test results. When did you last test your emergency communication channels? With what result? What did you fix?

The theme is evidence. Not intent. Not aspiration. Documented, timestamped evidence that the program operates as described.

Technology Requirements for Compliance

ISO 31030 doesn't prescribe specific technologies. It requires capabilities. Here's what you need to demonstrate, and how technology supports it.

Threat Monitoring

The standard expects "current and relevant information about risks at the traveler's destination." That requires a monitoring system. It can be a dedicated intelligence platform, an analyst checking sources manually, or a combination. The key is that it's operating continuously, not just during the pre-travel phase.

For organizations operating in non-English-speaking regions, this means a monitoring system with local-language coverage. A protest building in Ouagadougou won't show up in English-language sources until hours after it's blocked the road. A strike at a port in Dar es Salaam will circulate in Swahili-language union groups before any English-language shipping platform picks it up.

Communication Systems

Two requirements: reaching travelers reliably, and travelers reaching you reliably. In most high-risk environments, this means a primary channel (mobile/WhatsApp), a secondary channel (satellite messenger), and a tertiary channel (satellite phone), with all three tested before deployment.

Traveler Location Awareness

ISO 31030 expects organizations to know where their travelers are, with enough precision to assess their exposure to a reported threat. This can be as simple as an itinerary with daily location updates, or as sophisticated as GPS tracking. The level of precision should match the risk level.

Documentation and Record-Keeping

Every assessment, briefing, check-in, incident, and review needs to be logged and retrievable. This can be a purpose-built platform or a well-organized shared drive. What it can't be is the security manager's email inbox.

Region Alert's Role in Meeting ISO 31030 Requirements

Region Alert directly supports three of the five core ISO 31030 requirements:

Continuous Risk Assessment

We monitor local-language sources across 100+ languages. Telegram channels, community forums, regional news outlets, radio broadcasts, and deliver alerts tied to your specific travel destinations. When the threat picture changes at a location where your team is deployed or traveling, you know within minutes. Not from a quarterly report. Not from a government advisory published three days late. From the source, in the original language, as it happens.

Traveler Preparedness

Our alert history and regional threat data feed directly into pre-travel briefings. When your security manager prepares a briefing for a trip to Bamako, they're working with current incident data, trend analysis, and route-specific intelligence, not a static country profile.

Program Review

Alert logs and incident data from Region Alert provide the evidence base for program reviews. You can demonstrate what threats were detected, when alerts were issued, and how the team responded. That's the audit trail ISO 31030 expects.

We don't replace your communication systems, your location tracking, or your crisis response procedures. We provide the intelligence layer that makes all of those tools effective, the early warning that something is about to change at the place where your people are.

$499/mo. Published pricing. No enterprise contract. No six-month procurement process.

Checklist: ISO 31030 Readiness Assessment

Use this to evaluate where your organization stands. If you can check fewer than half of these items, you have significant gaps. That doesn't mean you need to fix everything at once, it means you need a plan.