ISO 31030 at Five Years
How a “Voluntary” Standard Became the Silent Benchmark in Duty-of-Care Law
Five-year facts on the floor
When ISO 31030:2021 — Travel risk management: Guidance for organizations — landed in September 2021, it was the first international standard of its kind. Four and a half years on, it has quietly become the document corporate lawyers read after an incident, the framework insurers quote when pricing K&R or political-violence cover, and the checklist procurement teams now paste into RFPs. It is not law. You cannot be certified to it. And yet, the pattern is unmistakable: ISO 31030 has moved from reference document to de facto standard of care.
This piece is a five-year scorecard — what’s actually been tested in court, what’s still a myth, and what the next 24 months will mean for every organisation that sends people across a border. The short version: if your travel-risk programme was “good enough” in 2021, it almost certainly isn’t in 2026.
“The question in court will never be did you follow ISO 31030? — it will be did you do everything a responsible employer should have done? ISO 31030 is simply the best evidence either way.”
Emerging consensus from post-2021 UK, US and EU legal commentary
1. The Legal Afterburner
ISO 31030 did not create duty-of-care obligations — those existed long before. What it did was give courts, coroners and insurers a single, structured reference for what “reasonable” looks like. That has changed everything.
The Dusek precedent still casts the longest shadow
Dusek v StormHarbour Securities LLP [2015] EWHC 37 (QB) remains the founding precedent. The High Court found the employer’s duty of care to be non-delegable — StormHarbour could not rely on the fact that a third-party operator held a valid Air Operator’s Certificate. A reasonable employer would have conducted at least a minimal inquiry into the safety of a chartered helicopter flight across the Peruvian Andes. The case pre-dates ISO 31030 by six years, yet it is the lens through which every subsequent claim is now tested — and ISO 31030 is the rubric.
Post-2021, ISO 31030 has been cited by:
- Claimant lawyers framing “what a reasonable employer should have done” in pre-action correspondence
- Defendant organisations demonstrating due diligence (risk register, pre-trip briefings, tracked escalation)
- Coroners’ inquests in the UK and Ireland, as a reference document for expected standard of care
- K&R, political-violence and business-travel insurers in declinature and premium-loading decisions
- ESG and sustainability auditors assessing human-capital disclosures
The “we didn’t know” defence is now effectively dead
ISO 31030 requires current risk assessments — which the courts read as implying continuous monitoring, including in local-language sources where threats often appear first. The consistent ruling across post-2021 cases is that if a threat was publicly available and the organisation failed to monitor it, that failure is itself a breach. Ignorance is no longer a defence; passive subscriptions to a single English-language advisory service are no longer enough.
Parallel regimes reinforcing the standard
- 🇬🇧UK — Health & Safety at Work Act 1974 + Corporate Manslaughter & Corporate Homicide Act 2007
- 🇺🇸US — OSHA General Duty Clause + “special errand” rule in workers’ comp jurisprudence
- 🇪🇺EU — Framework Directive 89/391/EEC (employer’s general duty to ensure safety)
- 🇨🇦Canada — Westray amendments to the Criminal Code (s.217.1)
- 🇦🇺Australia — Model WHS Act industrial-manslaughter extensions (QLD, VIC, NSW)
2. The Adoption Scorecard
What’s working vs. what’s still weak
✅ What’s working
- Board-level visibilityLarger organisations (FTSE 350, Fortune 500, global NGOs) now have dedicated travel-risk roles — a function that essentially didn’t exist pre-2021.
- 24/7 assistance coverageNear-universal in the enterprise tier; vendor consolidation is maturing the market.
- Pre-trip briefings & traveller trainingNow routine rather than exceptional, with measurable take-up via LMS.
- Risk-tiered approval workflowsBaked into expense and booking tools; the “high-risk destination” approval layer is the single biggest procedural upgrade of the past four years.
- Industry collaborationActive forums via ISO/TC 262, GBTA Risk Committee, ACTE, and the WTTC Safer Travel pillar.
⚠️ Where it’s still soft
- Accommodation riskTravellers still prioritise cost; hotel due-diligence is the single most frequently skipped step in the ISO 31030 flow.
- Information security during travelSocial engineering, hotel Wi-Fi attacks, MFA fatigue, and deepfake “stranded traveller” calls targeting the employer.
- SME adoptionMost small and mid-cap organisations still don’t know the standard exists — yet their duty of care is identical.
- Siloed ownershipWhen TRM sits in HR, Security, Procurement or Legal — and rarely all four — accountability falls between the cracks.
- Drone & UAV riskBoth as threat (Red Sea, Ukraine, Mexico) and as a monitoring tool — a new frontier for route risk assessment.
- Accompanying travellersFamily members, spouses on relocation, postgrad students — often outside formal policy scope, yet inside the duty of care.
3. What’s Coming in the Next 24 Months
The trajectory is clear: voluntary guidance is hardening into contract-enforceable, insurance-priced, procurement-gated obligation. Five converging forces:
1. Certification track
ISO/TC 262 is actively working a successor certifiable scheme — expected public consultation 2026/27. This flips the market dynamic: vendors, not just clients, become audit-able, turning today’s “best-efforts” language in service contracts into a contractually enforceable bar.
2. Anti-harassment integration
The UK Worker Protection Act 2024 (effective October 2024) is being read across by employment counsel as creating a travel-specific obligation. Your overseas hotel choices, late-night transfer arrangements and solo-travel patterns now sit inside a sexual-harassment-prevention duty as well as a physical-safety one.
3. Insurer-driven enforcement
K&R, political-violence, business-travel and medevac underwriters are increasingly pricing off maturity scores against ISO 31030. The premium delta between a “compliant” programme and an “informal” one is widening fast — we’re seeing double-digit percentage gaps on renewal.
4. Procurement-driven enforcement
RFPs from governments, universities, pharma companies and multinationals now routinely include ISO 31030 clauses. If you tender for anything international — research grant, aid contract, concession, operator licence — the standard is no longer optional.
5. ESG / CSRD reporting
EU Corporate Sustainability Reporting Directive (CSRD) standards are beginning to probe traveller welfare programmes under the “Own Workforce” disclosure strands. ISO 31030 is the quickest, most defensible disclosure anchor organisations have.
4. Your 5-Year ISO 31030 Audit
Ten questions every board, GC and Head of Security should be able to answer
- 1Is your travel-risk policy board-approved, dated, and reviewed in the last 12 months?
- 2Is risk assessment dynamic (refreshed en route), not static at the booking stage?
- 3Is accommodation security-screened against named criteria, not just brand or star rating?
- 4Do you have documented, tested, escalation paths for after-hours crises — in the local time zone?
- 5Are family members and accompanying travellers inside the policy scope?
- 6Is information security (device, credential, social-engineering) in the pre-trip brief?
- 7Do you have a post-trip debrief process that feeds the next risk assessment — or does it die in an inbox?
- 8Is your insurance (medevac, K&R, political violence) aligned to the realistic threat picture, not just default corporate travel cover?
- 9Are your traveller-tracking tools opt-in, GDPR-compliant, tested, and operational out-of-hours?
- 10Do you have named accountability for travel risk — a person, not a committee?
5. What TRSS Sees in the Field
The organisations that survive a serious incident are invariably those where ISO 31030 lives in a tested playbook, not in a PDF on a shared drive. The ones in trouble can produce policy documents but not operational practice. At TRSS we see the same pattern repeatedly: strong paperwork, weak drill cycles; clear governance structures, unclear out-of-hours authority; polished risk matrices that haven’t been updated since COVID. A five-year refresh is not optional anymore — it’s the minimum defensible position.
If you’re not sure where your programme sits on the scorecard above, that is itself the answer. We run independent ISO 31030 readiness and maturity assessments that pressure-test every element of the ten-point audit against live incident data and your current insurance, procurement and legal exposure.
ISO 31030 at five years is a quiet success story with a sharp edge. The standard has done its job of raising the floor of expected practice — and the floor is now the ceiling below which liability, insurance cost and reputational damage accumulate. The next two years will formalise what courts, insurers and procurement teams have already decided. The organisations that move first will set the benchmark. The ones that don’t will meet it — in a courtroom.