← Insights

What CHROs Get Wrong About Executive Safety — And How to Fix It Before the Board Asks

By Kenneth Wilson · Wilson Global Protection Group

Most CHROs and Chief People Officers have built robust programs around executive wellness — mental health support, EAP access, resilience coaching, and increasingly sophisticated travel health protocols. They have taken workforce safety seriously in every dimension they were trained to own. But there is one dimension of executive safety that almost universally falls through the gap between HR, the security function, and the COO’s office: physical security for senior executives operating in elevated-risk environments. When something goes wrong in that gap, the CHRO discovers they own more of the aftermath than they realized — and the board conversation that follows is not a comfortable one.

The Misconception: “That’s Not My Function”

The most common framing in CHRO conversations about executive protection is some version of: “We have a head of corporate security who handles that,” or “the COO owns security decisions.” This is true in the operational sense — the security director or COO typically makes the call on whether to engage a provider, which threats to take seriously, and what coverage looks like in practice. But the duty-of-care framework does not follow the organizational chart.

When a C-suite executive is harmed during business travel — or when a threat goes unaddressed and the board demands an accounting — the inquiry moves to: who owned the framework for executive health and safety? Who documented the risk assessment process? Who maintained the written protocols? In most organizations, that trail leads back to HR. The head of corporate security may have made the operational decision; HR owns the policy environment that decision was supposed to operate within. That distinction matters enormously in a board inquiry, a regulatory review, or litigation.

The CHRO is not expected to run a close protection detail. But they are expected to have owned the framework that would have ensured that decision was made correctly and documented defensibly. In most organizations today, that framework does not exist at the level the situation now requires.

Where the Gap Lives

CHROs have built genuinely strong programs in the areas they were asked to own. Employee Assistance Programs cover mental health and crisis support. Travel medical insurance covers emergency evacuation, hospitalization, and repatriation. Executive health programs cover annual physicals, specialist access, and medical advisory services. These are real investments, and they reflect a genuine commitment to executive well-being.

None of them address physical security in elevated-risk environments. None of them assess whether the CEO traveling to a country with an active kidnap-for-ransom threat profile has a vetted ground transport arrangement, a check-in protocol, or a close-protection presence calibrated to the threat level. None of them produce a documented threat assessment for the board or insurer to review. Travel medical insurance is reactive — it responds after something has gone wrong. An executive protection program is preventive — it is designed to ensure the incident that triggers the insurance claim never happens.

The gap is structural, not intentional. CHRO mandates have historically not included physical security. The security function historically did not report into HR. The COO handled operational decisions about executive travel without a formal handoff to HR for policy documentation. These were reasonable organizational patterns in a lower-risk environment. They are increasingly inadequate as the threat environment for senior executives in financial services, private equity, and large enterprises has changed — and as boards, insurers, and regulators have begun treating duty of care as a documentable, auditable standard.

What “Executive Safety” Actually Means at the CHRO Level

The CHRO’s role in executive safety is not operational. It is architectural. The question is not whether the CHRO can brief a principal on a threat assessment or coordinate ground transport in Lagos — that is what a qualified EP provider does. The question is whether the CHRO owns the framework that ensures those decisions happen, that the right providers are selected through a documented process, and that the organization can demonstrate its approach to executive physical safety if asked.

In concrete terms, that means four things:

Written travel risk protocols that define what triggers a security review before a senior executive travels — destination risk level, principal profile, travel purpose, and duration. These protocols should live in HR policy documentation, not in the security director’s institutional memory.

Pre-travel briefings from vetted intelligence sources. Not government travel advisories alone — those lag the actual threat environment by weeks. Current, operationally specific intelligence from a provider who understands the difference between the risk profile of a capital city conference hotel and a plant site in the same country.

A documented provider selection process. The organization chose a particular executive protection and crisis management provider through a process that evaluated credentials, experience, and operational capacity. That selection decision is documented. The vetting criteria are on record. This is exactly the kind of defensible due-diligence trail that matters in a post-incident review.

An incident response chain that is defined before the incident occurs. Who does the executive call? Who does the security provider call? What authority does the provider have to make decisions in the field? What escalation path does HR own? These questions should have written answers before the situation that requires them arises.

The Board Conversation That’s Coming

ESG governance has moved executive safety squarely onto the board agenda in ways that did not exist five years ago. The “S” in ESG has expanded to include occupational health and safety at the leadership level. Duty-of-care frameworks for mobile executives are increasingly referenced in proxy advisor guidance and institutional investor questionnaires. Insurance carriers underwriting D&O and key-man coverage are asking more specific questions about what documented protocols exist for senior executives who travel to elevated-risk regions.

CHROs who have not built this documentation layer are not in a bad position because they failed — they are in a bad position because the question has moved faster than the policy environment has. The board is increasingly likely to ask, during an annual governance review or in the wake of any significant incident involving a peer organization, what the company’s documented approach to executive physical safety looks like. Being unable to produce a clear answer — written protocols, a credentialed provider, a documented selection process — is an uncomfortable position for any CHRO to occupy in that room.

This is not hypothetical exposure. It is a governance gap that is becoming more visible as boards apply the same documentation standards to executive safety that they have long applied to cybersecurity, financial controls, and operational risk. The organizations that get ahead of it are not the ones responding to an incident — they are the ones whose CHROs recognized the gap before the board asked the question. See also what enterprise security directors typically miss in the same governance context — the CHRO and security director blind spots often intersect in ways that create the largest gaps.

The Right Entry Point

The right first step for a CHRO who recognizes this gap is not a full executive protection program — it is a scoping consultation that produces a written assessment and protocol recommendation. Something the CHRO can put in front of the board, the general counsel, or the head of corporate security and say: we have formally assessed our duty-of-care posture for mobile executives, identified the gaps, and here is what a properly structured program looks like for our organization.

That document — a written security risk assessment and protocol recommendation from a credentialed provider — is itself a duty-of-care demonstration. It is evidence that the organization took the question seriously, engaged qualified expertise, and documented its findings. For many organizations, that document becomes the foundation for a conversation with the board about program investment. For others, it clarifies that the existing posture is closer to adequate than assumed, and identifies specific targeted improvements rather than a complete rebuild.

Wilson Global Protection Group works directly with HR and people leadership teams to structure this kind of engagement. The scoping consultation is led by Kenneth Wilson — CPO, PPS, and EPS certified — who brings the operational credibility of a working protection professional and the communication style of someone accustomed to briefing C-suite audiences who do not have a security background. The output is written, structured for legal and board review, and actionable. For a sense of what program investment looks like at different coverage levels, the executive protection cost guide provides realistic benchmarks for organizations in the scoping phase.

The GC and legal team are often involved in the same conversation. If your general counsel has already raised the duty-of-care question or is being asked by the board to document EP protocols, the engagement framework for legal teams covers the same ground from the legal function’s vantage point. The right answer for most organizations is a joint conversation between HR and legal — both functions own pieces of the duty-of-care framework, and a single scoping engagement serves both.

Ready to close the gap before the board asks?

Our $500 scoping consultation produces a written assessment and protocol recommendation — structured for board and legal review, no retainer required.

BOOK A SCOPING CONSULTATION →

Kenneth Wilson · CPO · PPS · EPS · New York