Work From Anywhere has become the new call to arms as organizations try to reignite existing workforces and attract new talent, but like all transformations it is only as good as the process that guides it. COVID has proven to be a valuable use-case in many areas, not least of which was managing the changes forced upon operational cultures and our approach to work-life balance. Savvy enterprises seeking to bring on new talent know this and are making “work from anywhere” a hallmark of their employment practices. Other, dare I say, “old-fashioned” employers may realize they have no choice but to embrace it in the age-old game of market forces dictating terms.

Whatever the motivation, employers should not go quickly into this new dawn. Aside from the appeal, and potential savings on office space and other common expenses, there are many factors to consider. Some can be quite costly. In an attempt to protect themselves, companies are putting their Travel Risk Management teams to the task. But this new modality has little in common with the current TRM school and in fact shares more ground with other corporate functions.

Previously, an organization headquartered in one country could avoid the complicated gymnastics of hiring a worker domiciled elsewhere simply by classifying that person as an independent contractor. But individuals are no longer willing to part with the protection and perks of being an employee. One solution is working with a company that provides distributed workforces. Known as “employers of record” in Europe and Asia, EORs are similar to Professional Employer Organizations (PEOs) in the United States. The EOR or PEO is the registered employer for tax and administrative purposes, but the day-to-day management of the employee remains with the organization.

This is one way to get over the initial hurdle of onboarding the employee, but it does not mean the work is done. Risks and other implications will continue to accrue to the employer and employee alike. In the past, Travel Risk Management was the framework for managing how we moved our people around. Whether those were meetings, field visits, conferences or anything else, the placements were temporary (even if on a rotation) and the TRM teams had their tried and true playbooks for managing those movements. That will no longer suffice.

When WFH Becomes WFA
Work From Anywhere, aka WFA, is a more compelling term for “remote working” that was applied during the pandemic. Where the latter was generally meant for employees to work from home (WFH, remember that?), the former connotes a much more liberal approach to employee accountability. But unlike TRM, WFA carries myriad dimensions that necessitate anticipating and responding to risk.

Work From Anywhere opens the Pandora’s box because it is about risk to the organization’s people (i.e., Duty of Care) as well as risks from those people to the company, even when they are staying at home. Replace “Travel” of the TRM with “People,” and the same framework applies. So think of this as People Risk Management.

To consider Work From Anywhere as a component of People Risk Management requires an integrated approach. Stakeholders from traditional disciplines of travel, risk, EHS&S, HR and security are central, but must collaborate with teams from communication, IT, legal, facilities and others in order to corroborate and federate data. This requires a more continuous risk management approach and a more coordinated culture among groups that aren’t necessarily used to interacting on an on-going basis.

The ways an employee logs in, uses e-mail, connects to WiFi and makes calls are easy to monitor when that employee is working from a predetermined site. But what if that person plans to spend the summer in Europe, moving around unknown hotels, Airbnbs and other locations? What measures does the enterprise have in place to secure those multiple touchpoints? What tax and compliance issues need to be addressed?

Various cultural risks fall into play also. If the employee strays into an area not friendly to his or her gender or cultural identity, they could be targeted by hostile locals or other travelers. Duty of care provisions may not historically cover an employee on personal travel, but if the employee is in trouble and threatens to compromise operations, the employer may not have a choice.

Ever since the European Union launched its Digital COVID Certification, traveling through partner countries has gotten simpler. Still, each country is at liberty to change their restrictions and entry guidelines as it sees fit, especially where it concerns non-member nations and other passport holders. And the EU ‘Green Pass’ does not apply to Americans.
One need look no further than the contretemps between the US and the EU this past summer for an example of how quickly the travel landscape can shift. In June, travel restrictions for fully vaccinated American travelers were relaxed. But when the US did not respond in kind, the EU told member states at the end of August to shut down the corridor with America. The reason given was the spike in delta variant in the US. However, coupled with that was the US government’s refusal to lift its ban on all inbound non-essential travel to the US – including from Europe.

Although there were no guarantees of reciprocity between the two blocs, foreign leaders grew increasingly impatient with Washington’s failure to move more quickly to reopen. Then in mid-September, the US announced it would indeed ease restrictions on fully-vaccinated inbound international travelers, replacing the so-called 212f rules and reopening American borders to much of the world when the policy changes are finally implemented early in November.

To the American traveler, changing restrictions may be a personal problem. But those travel snafus may leave the individual employee waylaid, causing disruptions in workflow and communications as well as putting him or her in an unknown circumstance for an indefinite amount of time.

Where In the World?
COVID-19 is far from over and will likely continue to be with us globally in some form into 2025. If your person has decided to spend a month in Italy, and successfully made it there, yet the delta variant has escalated to levels where you’re issuing “WFH” orders, does that apply to your Italian-based employee? These exceptions may seem incidental, and perhaps negligible, but the trend is growing.

More predictable, albeit no less murky, are concerns around immigration, visas and tax implications. The organization may not have sent the employee to work from the villa in Trieste, but it did approve the trip. Even if legal determines the responsibility of any work permits rests with the employee, HR is going to have to weigh in on the tax matters. This is more than just considering the local responsibility; it encompasses understanding what may have to be withheld and reported to the host country the employee is working in.

The tax question applies domestically too. Certain neighboring metro regions in the US have mechanisms in place for taxes, such as when a New Jersey resident works in New York City and pays a commuter tax. But what if the employee has moved to another state? If a new residence is established, whether temporary or permanent, the company has a responsibility to respond to those tax liabilities. The compliance teams would also have to investigate insurance matters and the benefits team would have to check things like health insurance, disability and worker’s comp. The most likely minimum is that the company would have to register in that state to withhold, file and pay unemployment. Even if the existing teams have the bandwidth to take on the extra work, where does the organization draw the line? Engaging an ERO or PEO is a step in the right direction, but not a failsafe.

Security teams handling threat intelligence also need to be in the loop regarding employee movements. In the People Risk Management model, security communications must be broadened to inform stakeholders of vulnerabilities that may be outside the company’s geographies of interest. If an employee wants to travel to a precarious destination, for instance to visit family for a month, the company may have a difficult time denying that person’s request to Work From Anywhere because precedents have been set that “anywhere” means just that, unless limitations have already been established. Including security personnel on the drafting of the policies will ensure a more robust perspective to achieve a clearer definition of what “anywhere” means and how and when it can be applied.

This integrated approach is more than just the spirit of teamwork, it is the foundation for achieving Agile Operational Resiliency, a framework we are advising many Global 2000 clients on navigating. For many large-scale enterprises, particularly multinational ones, COVID-19 necessitated a cross-functional team to come together as a task force to share information and coordinate a response, especially when things were changing daily. People Risk Management as a two-way street looking at risks both to and from the employee, was an integral leg in that stool. Now these same task forces are looking toward the future and applying the COVID experience to the problems of ongoing volatility as threats continue to cascade. Work From Anywhere policies, and People Risk Management in general, are at the heart of that.


Bruce McIndoe is a serial entrepreneur and a recognized leader in the risk management, travel and intelligence industries. As WorldAware founder, Bruce created the market leader in providing 24/7 operational risk intelligence and integrated risk management solutions. He also created the Travel Risk Management Maturity Model (TRM3) adopted by the GBTA. Prior to WorldAware, Bruce was founder and CEO of CSSi, an Inc. 500 and four-time Washington Technology FAST 50 company that developed software for the intelligence community. McIndoe Risk Advisory LLC is his current venture helping enterprises transition from travel risk to people risk management and guiding them along the journey to achieving Agile Operational Resiliency.