The global economy is in a significant state of disharmony involving the flow of trade between the world’s nations. This has resulted in most of the recent major economic calamities.
In April 1959, then Sen. John F. Kennedy said, “The Chinese use two brush strokes to write the word ‘crisis.’ One brush stroke stands for danger and the other for opportunity. In a crisis, be aware of the danger, but recognize the opportunity.”
Recognition of opportunities for more than 50 years has brought about corporations becoming much more focused on global business operations. The drive for establishing new markets internationally quickly improved support of worldwide customers, with tens of thousands of global corporation employees being deployed to 190 countries. Those employees face a multitude of challenges, menaces, and threats such as exposure to the Zika virus, massive floods, widespread power outages, civil unrest causing significant disruptions, erupting volcanos shutting down air space over countries, terrorist attacks in public places, earthquakes, and winter storms causing blizzard conditions. These are just some of the risks that are associated with working globally.
Conducting the business impact analysis (BIA) annually will determine the vulnerabilities of undertaking business on a global scale. The next step is to develop the mitigation plans to address these threats and the risks to the employees. One of the areas often overlooked is a crisis plan addressing the abduction or kidnapping of these employees who are traveling to foreign countries and holding them for ransom or extortion. Often this risk is not considered because senior leadership believe someone in human resources must have already handled this, or the crisis management team assumes there must already be an established plan to deal with this threat. The reality is most of the time there is not a well-defined plan or a policy.
Kidnap, Abduction, Ransom and Extortion
Kidnapping, abduction, ransom, and extortion (often referred to as K&R) are significant threats to any global organization and those who work around the world. Most vulnerable are organizations with employees who are based or traveling overseas in search of new markets or supporting international customers. Some of these employees have high-profile roles in the financial, energy, manufacturing, or technology industries. Some of them may manage operations that handle large amounts of cash or work with sensitive competitive technology.
In 2015, abstract reports from both the United Nations Office on Drugs and Crime (UNODC) and the World Health Organization (WHO) reported the estimated number of people who are kidnapped on an annual basis are about 50,000, and that number is potentially underestimated because it does not include verified information from most of the 190 countries. The International Criminal Police Organization (INTERPOL) based in Lyon, France, with 190 member countries, estimates the number of people kidnapped or abducted during the last 10 years was closer to an annual average of 100,000 people. Based on how statistics are collected and reported in the various countries, it is believed even this number is relatively low.
According to the annual K&R statistics contained within global threat reports generated from several international business risk firms, there are eight regions geographically reporting the percentage of kidnappings and abductions for ransom and extortion. Between 2012 and 2015, percentages have increased following the international business trends on where global corporations are doing business.
During 2012, percentages of kidnappings and abductions in the eight regions reported the following:
- Africa 22%
- Asia Pacific 6%
- Central Asia 38%
- Eastern Europe 4%
- Latin America 6%
- Middle East 17%
- North America 3%
- Western Europe 4%
As compared in 2015, percentages of kidnappings and abductions in the eight regions that were reported show a trend increase in Latin America:
- Africa 22%
- Asia Pacific 6%
- Central Asia 27%
- Eastern Europe 4%
- Latin America 17%
- Middle East 17%
- North America 1%
- Western Europe 6%
As we already know, risks cannot be eliminated; however, risks can sometimes be mitigated.
Once this risk has been identified during the annual business impact analysis (BIA) as a real vulnerability and a risk to employees, what mitigation approaches might be taken?
K&R insurance policies might be a mitigation strategy for your corporation.
There are about 20 established international insurance companies today that will underwrite K&R insurance policies. However, one of the most recurrent assumptions that both senior leadership of the corporation and even the employees make is assuming that standard business travel insurance benefits will also include K&R insurance or at a minimum the corporation has a crisis plan if someone has been kidnapped or abducted and or held for ransom or extortion. Assume nothing.
This is absolutely not true. The business reasons why K&R insurance policies are usually not included within the business travel insurance for employees are based on the following factors:
- cost of premiums the K&R insurance
- country of residence
- profile of the employee and role with the business
- type of industry
- revenue of the company
- travel patterns of the employees including frequency and length of stay
- travel alerts published by government agencies.
K&R insurance is purchased separately to mitigate the significant financial loss to a corporation that can be realized when an employee is kidnapped or abducted for the purposes of ransom or extortion. Sometimes the ransom exceeds $1 million.
So, back to the annual BIA to review which employees were considered essential employees and which roles within the critical business function were considered essential to run daily operations of that critical business function.
A corporation having 50,000 to 100,000 employees cannot realistically afford K&R insurance for all employees. Based on the high cost of K&R insurance policy monthly premiums, amount of risk willing to assume, the number of employees that have to meet actual business requirements of the critical business functional role, the key question is just how essential is essential.
Let’s consider a realistic business scenario for a moment …
Your company sends two American employees to Mexico to review the infrastructure of another company located in Mexico that the parent company back in the United States is going to acquire. These employees are going to review the physical, system, and application infrastructure of the Mexican’s company data center they are going to acquire. Their mission is to document the infrastructure and inventory all hardware to determine the best approach to consolidate this Mexican data center into existing data centers back in the United States. The new business being acquired will still run all business operations in Mexico, just consolidate the IT infrastructure in the United States. On the fifth day of a three-week trip, the two employees are kidnapped from a small local restaurant in Mexico City, and the company is notified that both employees are being held for ransom. These two employees are IT engineers and, during the latest BIA, were not determined to be essential to the critical business function. The K&R insurance provider confirms these two employees were not listed on the K&R insurance policy. Furthermore, the United States State Department had published a “Travel Advisory” four months earlier indicating a “moderate risk” for all Americans traveling to Mexico. If the employees had been covered by the K&R insurance policy, this travel advisory would more than likely nullify any policy coverage based on the original business requirements when the K&R insurance policy was written.
Every month, official travel alerts are published by the United States State Department and by the Centers for Disease Control and Prevention (CDC). Both agencies have websites that are currently updated for most countries.
As with any insurance policy, for any type of business travel insurance coverage, it becomes critically important the crisis management team reviews and clearly understands what is and is not covered. Insurance is about mitigating risk, transferring risk, or accepting a portion of the risk, which all depends on the willingness of the business to determine how much risk can they afford to accept. As an example of one approach, some international oil and gas corporations are establishing business travel policies to reflect certain essential employees can no longer travel by commercial airline and must fly private or corporate jets to minimize risk.
Six Steps to Help Mitigate Risk of K&R
- Planning Prior to Travel
- Verify your passport is current for the following 6-12 months.
- Verify the visa requirements for the countries you are going to and meet all the requirements.
- Confirm and book all travel with approved company travel department or agency.
- Use direct flights where possible and ask if flights not booked direct can be.
- Verify and validate that the business office you are traveling to know you are coming, have a copy of your travel itinerary, and your itinerary will be kept confidential.
- Verify you have color copies of your passport, visa, tickets, and other travel information.
- Verify you have a picture of someone from your local office that will meet you at the airport.
- If you have any medications, verify you have them in your personal carry-on luggage.
- Validate you have telephone numbers for canceling all credit cards.
- Obtain local currency in advance to avoid having to exchange currency in a public place.
- Carry any sensitive information you have for business in your personal carry on luggage
- Do not use a business card as your luggage tags or luggage labels.
- Do use a business address and business telephone number for luggage tags.
- Have a daily business plan on exactly what is your travel purpose, how you will measure your mission completion, and what exactly is your exit strategy.
- Arrange to be met at the baggage area by someone you either know or have a confirmed photograph of in advance. The photo could be on your mobile phone.
- Arrange for a discreet way of identification in the arrival hall to avoid using signs displaying your name or company.
- Always check the identification and credentials of the person meeting you.
- If no one is available to meet you, use a prearranged car service and not a local taxi.
- Know which areas represent the highest security risk.
- Accept that there may be a real risk present and that you may be the target.
- When you check in, do not verbally or in written form disclose your occupation, your role within the company, or your specific position.
- If asked and only if asked, provide a shortened version of your address.
- Never leave your passport at the front desk of the hotel. If asked provide them with a color copy of your passport but never the original passport.
- Ask for a room on a floor starting on the third floor so there is not easy physical access to your room from the ground or the roof.
- If you are not comfortable with the physical security of your room, ask to be moved.
- Verify the fire exits and routes in case of an emergency from your room. During an emergency is not the time to find your way out of the building.
- Once in your room, place a chair against the door to create another barrier of security.
- Be alert to anything unusual, such as a large number of strangers outside your hotel, company, apartment, or office. If you notice anything suspicious report it to your colleagues.
- Have maximum awareness when arriving at or leaving the office or restaurants.
- Maintain a healthy suspicion of strangers and unusual incidents, and do not get involved in local situations that would place you at risk.
- Low Profile
- Try not to attract unnecessary attention to yourself, such as talking loudly or wearing conspicuous clothes or excessive jewelry.
- Do not identify yourself to strangers before you first ask for their identification.
- Do not discuss your work in public where you might be overheard.
- Be careful when speaking on the telephone, especially on a mobile phone or in a public place. When taking calls, identify the caller before giving out any personal or business details.
- Make sure that your home address and family details are kept confidential.
- Brief colleagues not to divulge personal information about you to any strangers.
- If you do have an unavoidably high profile you should strengthen your security precautions.
- Unpredictable Routines
- Avoid predictable routines. Vary your timings to and from the office or hotel.
- Vary the travel or commute routes you use. Variation in the first hundred yards and up to the first mile to and from everyday destinations is particularly effective.
- Identify any unavoidable routines and be especially alert at these times and routes.
- Do not use local taxis and arrange for car service to and from office or business customer locations.
- If you have a last-minute trip requirement, use the hotel management to arrange any last-minute ground transportation.
- Avoid walking alone, especially after dark. Walk with colleagues if possible after dark and know where you are going. Walk deliberately with physical purpose to create appropriate body language for anyone watching you.
- Maintain a 360-degree awareness at all times.
- Always confirm your arrival to the local office and call in your location on a regular basis.
- Register with your national embassy during the first day of your arrival.
- Know where each member of the team is at all times and when they are due to return.
- Discuss with each what action they should take in an emergency situation.
- Always have the contact numbers for the local office, your colleagues, national embassy, and the local emergency services.
- If you feel there is a clear and present threat to your life, call for help and let your colleagues know. It is better to cause unnecessary alarm than be caught unaware.
- Always carry your mobile telephone and verify that it functions in the geographical location.
- Keep your mobile phone fully charged and carry an external pocket portable battery charger.
- Your mobile telephone should always have the essential telephone numbers in your “contacts.”
- You might want to consider an Iridium satellite telephone as a back-up communications device if your primary mobile device does not get service in your current geographical area for whatever reason.
- Instruct your team and/or your local business office to never give out the details of the location or movements of other team members to strangers.
- Always prepare in advance to know where the local law enforcement is physically located and where your embassy is. Make sure you know where these are located in relationship to where you are located at all times during your travel.
- If you are staying in a hotel, make sure you have a good relationship with the hotel manager so they can help during a crisis and provide information.
- Layers of Personal Business Travel Security
- Understand how vulnerable you are to the threat of being taken or kidnapped. Adopt and maintain appropriate security-layer measures and vigilance at all times.
- Develop security measures for each part of your daily routine including while in the hotel, while traveling between the hotel and office, and while in the office or customer locations.
- Maintain a physical space between you and any potential threats.
- Minimize the amount of time you are physically on public streets and sidewalks.
- In restaurants, request a table toward the back of the restaurant so you can have your back to a wall and face the door.
- If traveling by car and you are sitting in the back, sit in the center of the back seat if possible. Be aware of your surroundings when stopped at a traffic light or sitting in traffic.
- On departure at the airport, provide as much time as you can prior to actual flight time departure and go through airport security, customs, and immigration as quickly as possible since this process could take longer than planned.
- Maintain physical possession of your personal carry-on luggage at all times.
- Security vulnerabilities will always be attacked at their weakest points, so you must remain vigilant 24 hours a day, seven days a week, and maintain your security posture.
As always, if you see something that does not look right, say something to the appropriate authorities. If a situation does arise, remember the three basic phases of attack survival: escape, hide, or if no other opinion fight.
Be safe and have a pleasant, productive trip.
Tom Clark, MBCI, CBCP, CHS-III, CBRM, has more than 40 years of global experience in disaster, continuity, crisis, and incident management. In 2013, he was the first American to win the prestigious BCI Global Business Continuity Manager of the Year industry award.