Duty of care is a non-transferable legal obligation, yet many organisations continue to treat event safety as a mere procurement decision. Tony Ridley, chief security and risk advisor at EMA Global, explains why company leaders and event planners must realign their metrics and treat attendee safety as a binary, documented test
What is duty of care, and why is it important during meeting and events (M&E) disruptions?
Duty of care is a legal obligation, not a marketing tagline. It is owed directly to the individual, not to the trip itself. Furthermore, signing a contract with a big-name provider simply adds a party to the mix; it does not transfer your legal responsibility. The principal organiser still owns it.
M&E concentrates that duty far more than any other element of your corporate travel programme. Picture 200 top performers staying at a single resort that is fed by just one stretch of road from the airport, with one TMC handling the entire operation.
Now, introduce a typhoon, a coach crash, or a major power failure into that scenario. The decision-making window instantly collapses to a matter of hours. The critical work that supports those high-stakes decisions either exists before the event occurs, or it does not exist at all.
What is physical security? What do M&E planners need to know, and what are they missing?
There are three key areas where M&E planners typically come unstuck. The first is hotels, where detailed research into hotel fires reveals preventable deaths year after year, worldwide. Organisations that strictly vet airlines will often select a hotel based solely on loyalty tiers and room rates. While aviation receives strict governance, the locations where delegates sleep are treated as mere procurement decisions.
The second area is ground transport. The airport-to-venue leg produces the highest potential single-event fatality exposure of the entire journey, yet it receives the least auditing. Planners who would never put delegates on an unvetted airline routinely place them on a bus they have never even seen.
Finally, off-site experiences like yacht charters, desert excursions, and helicopter transfers appear in death and medical incident statistics far more often than the main programme. Typically, the TMC negotiates these on purely commercial terms, meaning your risk function never actually vets the operator. Beneath all of these missteps lies a fundamental mistake: assuming a brand name is a proxy for actual capability.
How can M&E planners build technology and cybersecurity resilience?
Event apps, registration platforms, badge systems, hybrid streaming services, and venue Wi-Fi collectively hold one of the densest concentrations of personal data and access privilege in your business. However, they usually sit outside your corporate IT perimeter, are stood up and torn down in a matter of days, and are run by third parties who are rarely audited in depth.
Planners can build resilience across three distinct layers. In the design phase, treat the event app and registration platform as being fully in scope for your information security programme, evaluating them using the same baseline as any other corporate technology vendor.
When it comes to operations, assume venue Wi-Fi is hostile and explicitly communicate this to delegates. Phishing attacks targeting named conference participants spike just before and after major events, as your agenda and speaker list function as open-source intelligence.
Lastly, establish contingency plans by rehearsing for streaming failures, registration outages, and badge compromises, documenting these practical workarounds before the event, not after.
What innovative tools and vendors are now available for M&E duty of care planning?
The market is increasingly separating platforms from programmes. The ultimate test is this: if your primary vendor went under tomorrow, would your duty of care still be successfully discharged?
When assessing the market, look for integrated medical and security operations. Crucial decisions during a disruption, such as whether to treat, hold, move, or repatriate, sit at the intersection of medical and security judgment, and a federated model splits these functions in a way that can slow down response times.
You should also look for intelligence-led pre-event assessments from vendors that provide specific evaluations of your chosen venue, accommodation, and transfers, rather than just a generic country summary lifted from a database.
Finally, seek out mass-incident capabilities, ensuring the vendor’s systems have been tested on scenarios involving 200 affected people in a single location with anxious families on the phone, rather than just a single assistance case.
The vendor market currently includes highly capable specialists alongside a long tail of badge-and-app businesses positioning themselves as duty of care providers. Buyer diligence makes all the difference.
Who are the critical stakeholders that must be engaged in the M&E duty of care playbook, and what perspectives do they bring?
The playbook inevitably collapses when it is owned exclusively by procurement, the events team, or security alone. A successful playbook must engage a wide range of corporate functions.
The executive sponsor owns the business case, while legal and compliance anchors the strategy to the specific laws of each country. Work health and safety identifies officer duties and liability exposure, while security and risk owns the actual threat assessment and emergency response.
Medical advisory is required to guide clinical decisions during a mass event, and communications manages the heavy reputational load.
Finally, procurement and finance controls the vendor contracts, while internal audit tests whether the playbook is actually being implemented on the ground. Each stakeholder brings a vital perspective that the others cannot replicate. The most common failure pattern is when events and procurement sign off on a plan and simply assume the rest of the organisation will follow.
How differently do M&E planners and company leaders need to think about duty of care today to align their goals?
Currently, individual departments are driven by misaligned metrics. The events team is measured on satisfaction and attendance; risk is measured on the absence of an incident; legal looks for the absence of litigation; and the CEO focuses on growth. None of these metrics actually asks whether the duty owed to the people at the event has been discharged.
To fix this, both planners and leaders need to shift their thinking toward a shared question asked before any contract is signed: if a serious injury or fatality occurred tomorrow, what two pieces of evidence would we most want to produce, and can we produce them today?
For leaders, duty of care is not discharged simply by buying a tech platform or holding an insurance policy. Senior officers bear personal liability in most jurisdictions, including exposure to industrial or corporate manslaughter charges, making the officer due diligence test entirely binary and evidence-based.
For planners, the shift means involving the risk function during venue selection, not at the final sign-off, because the safety of an event is ultimately determined within the first 10 per cent of the planning timeline.
Do you have any final advice?
First, make it a priority to read the incident data. The aviation industry would never accept a safety briefing that ignored prior accident reports, yet M&E routinely commissions programmes that ignore published data on hotels, ground transport, and mass gatherings. You must utilise this existing data to protect your attendees.
Second, treat the TMC as a contractor, not a partner. A partner shares your financial and legal risk, whereas a contractor delivers strictly to your specifications. The protective requirements that accompany your people are entirely yours to set in writing before the contract is signed.
Finally, expect far more scrutiny moving forward. Recent inquiries and regulator decisions in the region have increasingly turned on whether organisations could produce clear documentation of their protective decisions. The organisations that have done the work and can prove it will fare well, while those that confused mere activity for concrete evidence will not.
