Skip to Content

Why Duty of Care Is Failing Your Global Business

The gap between what organisations believe they have and what actually holds up under scrutiny is larger than most boards realise.
20 June 2026 by

Most organisations believe they have duty of care covered. They have a travel policy. They have insurance. They have an emergency number on the intranet. They think that is enough. It is not enough. And when something goes wrong, the gap between what they assumed and what was actually required becomes a matter for lawyers, boards, and in the worst cases, coronial inquiries.

What Duty of Care Actually Requires

Duty of care is not a policy document. It is a legal and ethical obligation to take reasonable steps to protect the people you send into harm's way. The word "reasonable" does the heavy lifting in that sentence, and it is precisely where most organisations fall short. Reasonable does not mean average. It does not mean what everyone else is doing. It means what a prudent organisation with your resources, operating in your context, with access to the information that was or should have been available, would have done.

The standard is objective and contextual. Courts apply it retrospectively, which means they judge decisions made in uncertainty against what was knowable at the time. This is not a forgiving framework, and it is getting less forgiving as the information environment improves. Organisations that claim ignorance of risks that were publicly reported, that appeared in threat briefings, or that were foreseeable based on destination and activity profile, will not find sympathy in litigation.

The Five Points Where Organisations Fail

1. They treat duty of care as a compliance exercise. Pre-travel approval forms, country-level risk ratings from aggregator platforms, and generic emergency hotline numbers are compliance artefacts. They document activity. They do not demonstrate that the organisation assessed the specific risk to the specific traveller in the specific context. A traveller going to Lagos for a week is not equivalent to one going to Lagos for a month with community-facing responsibilities. Duty of care requires differentiated assessment.

2. They rely on insurance as a substitute for prevention. Insurance covers financial loss after harm occurs. It does not prevent harm from occurring, it does not restore what is lost when someone is seriously injured, and it does not satisfy a court that the organisation exercised reasonable care. Relying on insurance as the primary duty of care response is evidence of a fundamental misunderstanding of the obligation.

3. They use destination ratings without analysis. Commercial risk aggregators assign country-level ratings based on aggregated data — political stability, crime statistics, health infrastructure. These ratings are useful inputs. They are not risk assessments. A rating of "high risk" for a country says nothing about the specific risk to your traveller in your city on your dates doing your activities. Treating a country rating as a completed risk assessment is the most common and most litigated gap in travel risk programmes.

4. They do not document the reasoning, only the decision. When an incident occurs, the question is not just "did you have a policy?" but "what did you know, when did you know it, and what did you decide?" That requires documented reasoning — not just a checkbox approval. Organisations that cannot produce contemporaneous records of their risk assessment and the basis for their decision are in a very difficult position when litigation follows.

5. They do not account for the traveller's profile. A senior executive with significant public visibility in a country with kidnap risk is not the same as an analyst doing research in a stable city. Duty of care requires that you consider who you are sending, not just where. Gender, nationality, visible religion, health conditions, and role all affect the risk profile. Organisations that apply uniform procedures without adjustment for individual circumstances are not meeting the standard.

ISO 31030 and the Direction of Travel

The publication of ISO 31030:2021 — Travel Risk Management — was significant not because it created new obligations, but because it codified what reasonable practice looks like. Courts and regulators increasingly reference it. An organisation that is unaware of ISO 31030, or that has made no effort to align with it, is demonstrating a gap in its duty of care framework that will be visible in litigation.

The standard requires organisations to understand their traveller population, assess risks systematically, implement proportionate controls, monitor during travel, and review and improve the programme. None of this is onerous for a large organisation with a structured travel programme. What it requires is intent and discipline — which is precisely what many organisations lack.

What Good Practice Looks Like

Effective duty of care in a travel context requires four things. First, a risk assessment process that is specific to the traveller, destination, purpose, and duration of travel — not just a destination rating. Second, pre-travel briefing that gives the traveller the information they need to make decisions and stay safe, not just contact numbers. Third, in-travel monitoring that allows the organisation to know where its people are and to communicate with them in a crisis. Fourth, post-travel review that captures incidents and near-misses and improves the programme.

None of this requires sophisticated technology. It requires a systematic approach and the organisational commitment to take it seriously before something happens, not after.

The Accountability Gap

When I work with organisations on duty of care failures, the most common finding is not that they lacked policy. It is that the policy was not operationalised. Someone approved it. Someone filed it. Nobody trained against it, tested it, reviewed it, or applied it to the specific situation that led to the incident.

That accountability gap — between what an organisation says it does and what it actually does — is where litigation is won and lost. It is also where people get hurt who did not need to get hurt.

Duty of care is failing your global business not because you lack awareness of the concept, but because the distance between policy and practice has not been closed. That gap is closeable. It requires intent, process, and accountability — and those are decisions that begin at the board and executive level, not with a travel manager filling out a form.

Tony Ridley provides advisory services on travel risk management, duty of care programme design, and ISO 31030 alignment. Enquiries welcome via the contact form.

What 30 Years of Risk Leadership Actually Teaches You (That the Frameworks Cannot)
Frameworks, standards, and methodologies are tools. The judgment required to use them well comes from somewhere else entirely.