Duty of Care in 2026 Why Travel Risk Has Become a Governance

Business travel in 2026 is operating at scale again. Global passenger demand continues to grow, and airlines are reporting sustained traffic recovery with high load factors across major markets, according to the International Air Transport Association (IATA).

At the same time, the Global Business Travel Association (GBTA) reports that a majority of corporate travel buyers expect budgets to remain stable or increase in 2026, despite cost pressures and geopolitical concerns.  

For finance and risk leaders, this signals one thing clearly - corporate travel is not contracting, it is normalizing at high volume. And when activity scales, exposure scales with it.

Disruption Is No Longer Exceptional, It Is Structural

The Zurich Insurance Group Business Travel Outlook 2026 found that 80% of business travelers experienced at least one disruption in 2025, while 53% reported facing an incident or emergency during travel. Additionally, 58% believe their employer could do more to protect them.  

For CFOs and risk officers, this data should not be read as anecdotal discomfort. It indicates systemic volatility. If 8 out of 10 business trips face disruption, then travel risk is not a rare event category. It becomes a recurring operational variable.

The financial implications include:

• Rebooking costs and last-minute fare escalation
• Additional accommodation expenses
• Missed meetings and delayed deal cycles
• Productivity erosion

But beyond cost, there is governance risk. If an organization cannot immediately identify where its employees are during disruption events, it cannot respond effectively. Visibility becomes the operational foundation of Duty of Care.

Leakage: The Invisible Multiplier of Risk

Industry benchmarking widely indicates that 20-30% of corporate travel spend may occur outside approved booking channels in many enterprises. While percentages vary by program maturity, unmanaged booking remains a persistent issue across global organizations.  

For finance leaders, leakage is often framed as lost negotiated savings. That is only part of the story.

When travel is booked outside approved systems:

• The company may not have accurate real-time traveler location data
• Negotiated supplier protections may not apply
• Insurance coverage alignment may be inconsistent
• Crisis response teams may lack immediate itinerary access

In volatile operating environments, fragmented booking data creates fragmented accountability. Duty of Care without consolidated booking visibility is structurally weak.

Safety Expectations Have Shifted from Policy to Assurance

Zurich’s findings also indicate that a significant proportion of travelers feel less safe traveling than in previous years. This shift matters.

Employees are increasingly aware of:

• Geopolitical instability
• Climate-related disruptions
• Health risks
• Digital surveillance and cyber threats

Travel is no longer perceived as routine mobility. It is perceived as exposure. When employees believe that employer oversight is inadequate, confidence declines. Over time, this affects compliance, morale, and retention.

For HR leaders, Duty of Care is now tied directly to employee trust and employer brand.  

Cybersecurity: The Overlooked Travel Risk

The modern business trip is digitally intensive. Employees access financial systems, upload expense documentation, share confidential files, and connect through public Wi-Fi networks in airports and hotels. Industry research across travel and cybersecurity surveys consistently shows elevated concern among business travelers regarding data exposure while traveling.

The risk for enterprises is not theoretical:

• Unsecured networks increase vulnerability to interception
• Device theft during travel can expose sensitive data  
• Fragmented booking systems may reduce control over accommodation security standards
• Travel risk now intersects directly with information security governance

For CFOs, this creates a cross-functional exposure spanning travel management, IT security, and compliance oversight.

Legal and Regulatory Expectations Are Expanding

Global labor frameworks, including guidance from the International Labour Organization (ILO), emphasize employer responsibility for occupational safety and health in work-related activities, including travel.  

This reinforces a critical shift - Duty of Care is not merely an HR policy statement, it is a governance obligation.

In the event of a serious incident, organizations may be required to demonstrate:

• Reasonable oversight of travel activity
• Risk assessment processes
• Communication protocols
• Emergency response capability

Without centralized systems, such documentation becomes difficult to substantiate.

Investment Trends Reflect Structural Concern  

This is not a cyclical caution. It is structural reprioritization.

According to StatsMarketResearch’s Global Travel Risk Management Services Market Forecast (2025–2032), the travel risk management services market was valued at approximately $104.85 billion in 2024 and is projected to reach $186.3 billion by 2032, expanding at a compound annual growth rate of 8.8%.

Markets of this scale do not grow at sustained high-single-digit rates unless boards are allocating recurring capital. For CFOs, this signals three shifts.

Risk exposure is now systemic: Travel disruption is no longer episodic. Geopolitical volatility, climate events, regulatory changes, and infrastructure fragility overlap, increasing the probability of operational interruption and financial impact.

Duty of Care has moved from HR policy to enterprise liability: Regulatory expectations increasingly require demonstrable traveler visibility, response capability, and auditability. The absence of structured oversight is no longer defensible.

Mobility risk intersects with financial risk: Disruption impacts productivity, contractual commitments, revenue timing, insurance premiums, and legal exposure. Travel oversight is now part of enterprise risk management, not administrative support.

An 8.8% CAGR sustained through 2032 reflects durable executive concern, not tactical experimentation. Capital is flowing into structured risk frameworks because unmanaged exposure compounds silently across balance sheets.

For finance leaders, the signal is clear - travel risk management is transitioning from discretionary investment to structural control infrastructure.

The CFO Lens: Travel as Enterprise Risk Infrastructure

From a financial governance perspective, unmanaged travel exposure compounds across four dimensions:

• Financial Risk: uncontrolled spend and forecasting gaps
• Operational Risk: disruption response inefficiency
• Legal Risk: duty-of-care accountability
• Reputational Risk: employee perception and public scrutiny

When travel programs lack centralized data integration, each of these risks operates independently and invisibly.

When travel is structured within unified systems, visibility becomes measurable, auditable, and controllable. The distinction between policy and infrastructure becomes clear where policy states intent and infrastructure enables control.

Duty of Care in 2026 Is About Visibility

Corporate travel volumes are rising again. Disruption frequency remains high. Employee expectations are elevated. Regulatory scrutiny is expanding. In this environment, Duty of Care is no longer satisfied by written policy documents or manual check-ins.

It requires:

• Real-time traveler visibility
• Consolidated booking data
• Integrated financial oversight
• Coordinated risk response capability

For CFOs, HR leaders, and risk officers, the question is no longer whether travel will occur. It is whether travel exposure is measurable. In 2026, the strength of a company’s Duty of Care framework will be defined not by its statements, but by its systems.