Back to blog
Travel Risk ManagementDuty of CareOperationsCompliance

The Spreadsheet Problem: Why Most Travel Risk Programs Fail

Most organisations manage travel risk with spreadsheets, WhatsApp groups, and Google searches. Here's why that's a liability — and what a real system looks like.

February 28, 2026ShadowIQ Risk Intelligence Team

Here's how most organisations manage travel risk today:

  1. Someone maintains a spreadsheet with traveler names, destinations, and dates
  2. The night before departure, someone Googles the destination
  3. A WhatsApp group exists for "emergencies" — it goes quiet when it matters most
  4. Government travel advisories get checked once, filed, and forgotten
  5. When something goes wrong, everyone scrambles

If this sounds familiar, you don't have a travel risk management system. You have a collection of habits. And habits break under pressure.

Why Spreadsheets Fail

Spreadsheets are brilliant tools. They're flexible, familiar, and free. They're also completely wrong for travel risk management. Here's why:

They're Static in a Dynamic Environment

A spreadsheet captures a moment in time. Travel risk changes by the hour. The protest that wasn't happening when you updated the sheet on Monday is blocking the route to the airport on Wednesday. The airline that was operating normally just cancelled 1,800 flights.

Static tools can't manage dynamic risk.

They Don't Alert Anyone

A spreadsheet sits in a shared drive until someone opens it. It doesn't send a push notification when a crisis erupts in your traveler's destination. It doesn't wake up the duty manager at 3am. It doesn't text the traveler to avoid the CBD.

Risk management without alerts is just record-keeping.

They Can't Scale

Five travelers a month? A spreadsheet works. Fifty travelers across twenty countries with overlapping trips, different risk profiles, and multiple approval chains? The spreadsheet becomes a full-time job — and a single point of failure when the person maintaining it is on leave.

They Don't Prove Anything

When a regulator, insurer, or court asks what your organisation did to protect a traveler, "we had a spreadsheet" is not a compelling answer. There's no audit trail, no timestamp on when risks were identified, no record of what warnings were sent, and no documentation of the response.

Compliance requires evidence. Spreadsheets don't generate it.

The WhatsApp Problem

WhatsApp groups deserve their own callout because they're ubiquitous in travel risk management — and dangerously unreliable.

WhatsApp is not a crisis communication tool. It requires the traveler to have internet access (not guaranteed in a crisis), to be checking their phone (not guaranteed if they're in danger), and to be in the right group (not guaranteed if they were added to the "Asia team" group but are transiting through the Middle East).

More importantly, WhatsApp creates no structured data. You can't query it, audit it, or report on it. When the board asks "how did we handle the evacuation?", scrolling through a WhatsApp thread is not an answer.

What a Real System Looks Like

A travel risk management system — as opposed to a collection of tools — has five characteristics:

1. Continuous Monitoring

The system watches threats 24/7, not just when someone remembers to check. It ingests data from hundreds of sources — government advisories, news, social media, aviation data, weather services, security feeds — and filters signal from noise.

2. Automated Alerts

When a relevant threat is detected, alerts go out automatically — to the traveler, their manager, and the duty team. Via SMS, email, push notification, or all three. Within minutes, not hours.

3. Location-Specific Intelligence

"Country X is high risk" isn't actionable. "There's a protest forming 2km from your hotel, police are deploying, and the road to the airport is blocked" is actionable. Real systems provide granular, location-aware intelligence.

4. Traveler Accountability

At any moment, you should be able to answer: "Where are our people?" Not approximately. Not "probably in Dubai." Exactly. A system tracks itineraries, monitors disruptions, and confirms traveler status.

5. Compliance Documentation

Every alert sent, every risk identified, every response taken — documented automatically. When the auditor calls, you pull a report. When the insurer asks, you show the timeline. When the lawyer enquires, you demonstrate due diligence.

The Cost of "Good Enough"

The spreadsheet approach works fine — right up until it doesn't. And when it doesn't, the consequences aren't a formatting error. They're a stranded employee, an injured student, an unaccounted-for executive, or a legal claim that your organisation failed its duty of care.

The gap between "good enough" and "adequate" is invisible in peacetime. It becomes very visible in a crisis. And by then, it's too late to build the system you should have had.

Moving Forward

You don't need to rip out everything overnight. Start by asking three questions:

  1. Can we account for every traveler right now? If no, that's your first problem.
  2. How quickly can we alert a traveler to a new threat? If the answer is "when someone sees it on the news and remembers to call them," that's your second problem.
  3. Can we prove what we did? If the answer involves searching through emails and WhatsApp threads, that's your third problem.

ShadowIQ was built to solve all three — continuous monitoring, instant alerts, and automatic compliance documentation. One platform, not a patchwork of spreadsheets and group chats.

Because a WhatsApp group is not a duty of care strategy.

Ready to move beyond spreadsheets? See how ShadowIQ works →