The Polycrisis Effect: Why Travel Risk in 2026 Can No Longer Be Managed in Silos

The geopolitical environment in 2026 is the most volatile in a generation. With 159 state-based conflicts active worldwide — the highest figure since systematic recording began — the assumption that "low-risk" destinations will remain stable has been shattered. The U.S. State Department issued 22 "Do Not Travel" advisories in January 2026 alone, and the expanding crisis corridor across the Sahel now encompasses nine African nations under Level 4 warnings. Middle East tensions continue to depress air passenger demand across entire regions, redirecting travel flows through alternative hubs that bring their own risk profiles. For corporate travel managers, the geopolitical dimension is no longer a background factor to monitor — it is the primary variable that reshapes every other risk category. An airspace closure triggered by a regional conflict does not just delay a traveler; it forces rerouting through jurisdictions with aggressive digital surveillance, strands employees in locations with inadequate healthcare infrastructure, and creates the operational chaos that cyber criminals and AI fraudsters exploit.

Artificial intelligence has fundamentally changed the threat landscape for business travelers in 2026. Deepfake technology now requires as little as three seconds of audio to clone a voice convincingly. Real-time video filters allow attackers to impersonate executives on live video calls — and multiple confirmed cases this year have resulted in multi-million-dollar unauthorised transfers. AI-generated phishing has eliminated the grammatical errors and generic phrasing that once served as warning signs; attacks are now hyper-personalised, referencing specific project names, recent travel itineraries, and internal organisational details. Business travelers are particularly vulnerable because they operate under time pressure, across unfamiliar time zones, and often using hotel or airport Wi-Fi that provides minimal security. The convergence is critical: when a geopolitical disruption strands a traveler and creates urgency, the conditions are perfect for an AI-powered social engineering attack. A panicked employee receiving a deepfake voice call from their "CEO" requesting an emergency transfer is far more likely to comply than one operating in normal conditions. Traditional security training — "check the sender's email address" — is no longer sufficient against threats that can perfectly replicate human identity.

Climate-related disruption has moved from the periphery of travel risk management to its centre. In 2026, extreme weather events are not occasional inconveniences — they are recurring, cascading operational crises. Heat waves have buckled roads and warped rail tracks across Southern Europe and the American Southwest. Wildfires have closed airports and evacuation routes in California and Mediterranean destinations. Flooding has paralysed transit hubs from Dubai to São Paulo. The hub-and-spoke architecture of global aviation means that a single weather event at a major hub — Dallas, Frankfurt, Singapore — triggers national or continental-level delays. Air traffic control staffing shortages, already at critical levels, further limit the system's ability to recover. For organisations, the climate dimension intersects with every other risk category. A hurricane that grounds infrastructure in a transit hub does not just delay employees — it strands them in locations where healthcare access may be limited, where emergency accommodation is scarce, and where the disruption creates precisely the operational chaos that opportunistic criminals exploit. Governments are also responding to climate-driven tourism pressures with new taxes and access restrictions — Hawaii's 2026 climate resilience tax, similar levies in Greece, Indonesia, and Ecuador — adding regulatory complexity to the planning burden.

Cybercrime is ranked as a top-tier corporate risk for 2026, and business travelers represent the most exposed attack surface. Employees connecting through hotel, airport, and conference Wi-Fi networks are prime targets for state and non-state actors seeking access to corporate systems. The risk is compounded by the growing government practice of border device searches — U.S. CBP conducted over 55,000 electronic device searches in FY2025, a fourfold increase since 2015 — which can result in the complete forensic extraction of a device's contents. The polycrisis dynamic is particularly acute in cybersecurity. A geopolitically triggered travel disruption forces rerouting, which may take a traveler through a jurisdiction with aggressive digital surveillance. A climate event that strands employees leads to extended use of unsecured networks. An AI-generated phishing attack, delivered while a traveler is exhausted and disoriented after 18 hours of delays, exploits precisely the cognitive vulnerability that the disruption created. Each risk domain does not merely add to the others — it multiplies them.

The polycrisis has a human dimension that most travel risk frameworks still fail to address. Research shows that 78% of business travelers experience mental health issues — burnout, anxiety, isolation — and a 2025 Deloitte survey found that 83% would change employers for a better travel policy. In a polycrisis environment, the mental health burden is not additive but multiplicative. A traveler stranded by a climate disruption, subjected to an invasive device search at a rerouted border crossing, and targeted by an AI-generated scam during the delay is not experiencing three separate incidents — they are experiencing a single, cascading crisis that compounds psychological stress at each stage. Yet most organisations manage traveler wellbeing as a standalone HR function, disconnected from security, IT, and operations. The result is a duty of care gap that creates both legal liability and talent attrition risk. Every dollar invested in a mentally healthy workplace yields approximately $2.30 in return — but only if wellbeing is integrated into the risk framework rather than treated as a separate benefit.

The central argument of the polycrisis is that risks which are interconnected cannot be managed by disconnected teams. In most organisations, physical security reports to facilities or operations; cybersecurity reports to the CIO; traveler wellbeing sits with HR; legal compliance is managed by the general counsel; and travel logistics are handled by procurement. Each function optimises for its own domain — but none has visibility across the full risk landscape a single business trip creates. Leading organisations in 2026 are dismantling these silos by building integrated risk ecosystems. The model centralises traveler tracking, real-time risk intelligence, expense management, and incident response into a single "source of truth" with cross-functional governance. A risk event triggers a coordinated response: security assesses physical threats, IT locks down digital exposure, HR activates wellbeing support, and legal ensures compliance — simultaneously, not sequentially. The technology exists: AI-powered platforms can now integrate geopolitical data, weather forecasts, cyber threat feeds, and identity-specific risk profiles into a unified pre-travel risk assessment that updates in real time. The barrier is organisational, not technological.

The final evolution demanded by the polycrisis is the shift from reactive policy enforcement to predictive intelligence. Static travel policies — annual reviews, destination-level risk ratings, generic safety briefings — were designed for a world in which risks were discrete and predictable. In 2026, that world no longer exists. Modern travel risk management requires scenario planning that models risk interactions, not just individual threats. What happens when a climate event disrupts a geopolitically sensitive corridor? What is the protocol when AI-generated fraud targets a traveler who has been stranded and sleep-deprived for 24 hours? How does the organisation respond when a border device search exposes both personal data and corporate intellectual property? Organisations that can answer these questions — with documented protocols, tested through regular cross-functional drills, supported by real-time intelligence platforms — will navigate the polycrisis without incident. Those that cannot will learn the answers the hard way: through a crisis that cascades across every silo simultaneously, with no coordinated response to contain it.