A Venue Owner’s Guide to the Protect Duty

The Manchester Arena bombing and the deadly year, 2017

As 2017 began, the U.K. had gone over a decade untouched by large-scale bombing attacks in its venues and crowded public spaces – the last incident being the 7 July central London bombings in 2005. All that would change on 22 May.

Around 22:30 BST time, a home-made bomb detonated in the foyer of Manchester Arena, just as Ariana Grande’s concert was letting out; more than 14,000 people were in attendanceⁱ. Such was the force of the blast that it was enough to kill anyone up to 22 metres away; it was a bomb intended to inflict mass damageⁱⁱ. 

Confirmed as a terrorist attack and suicide bombing, the incident precipitated 240 emergency calls, with sixty ambulances and 400 police officers attendingⁱⁱⁱ. All told,  23 people lost their lives, including the perpetrator, 22-year-old Salman Abed^iiv. An additional 116 people were admitted to the hospital^v.

The terror organisation, ISIS claimed credit for the attack^vi. The organised terror association compelled authorities to raise the country’s terrorism threat level to “critical,” the first such move in a decade^vii.

The city’s railway station was also badly damaged by the blast; it was evacuated and closed the night of the incident, only to open eight days later^viii. Manchester Arena, however, would stay closed until September of that year^ix.

By the time the venue reopened, the U.K. had already experienced another deadly incident in a crowded public space. On 19 June, Darren Osborne drove a van into a crowd of pedestrians near Finsbury Park Mosque in north
London, killing one man^x.

Months later another public space became the site of a bombing attack – this time the Parsons Green Tube, where a bomb only partially exploded on a London Underground train, injuring 50 people^xi. 

The impact of the 2017’s attacks

Counterterrorism policy needed to evolve to address those incidents, especially with new factors, such as the role of social media platforms in broadly disseminating terrorist propaganda and the rise of “DIY” terrorism, not always reflected in counterterrorism measures on the ground. 

The increasing popularity of DIY terrorist techniques specifically exposed a critical vulnerability in the country’s security apparatus. Rather than building complex explosives and coordinating across multiple stakeholders and targets, the new DIY terrorism relied on actors using any means at their disposal (crudely crafted explosives, cars, knives, etc.) to target crowded and/or open spaces^xii. 

The spaces aren’t targeted by happenstance. Crowded places abound in the U.K. The advocacy group, Survivors against terrorism, counts 650,000 such places in the whole country. Meanwhile, the percentage of those spaces that receive direct support from state counterterrorism networks is less than one percent. Ramping up state support to cover the remaining 99 percent-plus of crowded spaces is not logistically or fiscally feasible. 

Instead, policy stakeholders began asking, what are the responsibilities of the owners and operators of those crowded places in ensuring the operational security of their spaces and congregating publics. 

The genesis of Martyn’s Law

The reality is none exists. The U.K. lacks directly relevant legislation dictating counterterror protective security or preparedness outcomes for owners and operators of crowded spaces. The following legislation only provides parallel coverage:

• Health and Safety at Work Act (1974).
  The primary piece of legislation covering occupational health and safety.
• Crime and Disorder Act (1998).
  Omnibus legislation introducing various anti-social behaviour, sex offender, and parenting measures.
• Licensing Act (2003).
  Creates an integrated scheme for licensing premises used for the sale or supply of alcohol
• Civil Contingencies Act (2004).
  Defines obligations for certain organisations to prepare for various types of emergencies.

The glaring lack of directly relevant legislation, even in the aftermath of high-profile incidents, struck the mother of one of the victims of the Manchester Arena attacks deeply. Figen Murray, mother of Martyn Hett, attended an event a year after the Manchester Arena bombing and noted the lack of protective security measures in place^xiii. 

Thus began a crusade to help build a legislative infrastructure for security in crowded public places and venues. Those actions eventually culminated in the antiterrorism legislation, Martyn’s Law or the Protect Duty.

The bill has been read into the parliamentary record and is now in the midst of its consultation period, during which time stakeholders will be given the opportunity to weigh in on how the proposals will work and to whom they should apply. 

What is the Protect Duty

What’s being proposed and to whom? Martyn’s Law seeks to create a protect duty for owners and operators of crowded public places and venues, compelling those stakeholders to step up venue security efforts in the face of the terror threat. More than that, the law would make it a legal requirement for owners and operators to consider the risk of terrorism and take proportionate mitigation measures to protect the public. 

The proposed protect duty applies to the following groups:

• Public venues.  The owners and operators of publicly accessible venues with capacity of 100 persons or more. 
• Large organisations, e.g., retail or entertainment chains. The owners and operators of organisations with staffs of 250 persons or more that operate at publicly accessible locations. 
• “Open” public spaces,  e.g., public parks, beaches, thoroughfares, bridges, town/city squares, and pedestrian areas. 

Not all groups will have the same responsibilities. For instance, the owners of venues and large organisations, are likely to be required to:

• Use available information and guidance provided by the Government (including the police) to consider terrorist threats to the public and staff; 
• Assess the potential impact of identified risks across their functions and estates, and through their systems and processes; and
• Consider and take forward “reasonably practicable” protective security and organisational preparedness measures, e.g., staff training and planning for how to react in the event of an attack

Meanwhile, stakeholders involved in the management of open public spaces (e.g., local authorities) are likely to be required to:

• Develop local, strategic plans to mitigate the risks and impacts of terrorism;
• Implement proportionate measures through relevant systems, processes, and functions to improve public safety and security;
• Establish clear roles and responsibilities for local partners; and
• Work with key partners (e.g., police) to consider how a security plan would operate in priority local areas 

How will compliance be demonstrated? Far from a pro forma risk assessment, policymakers envisage a stricter requirement, whereby owners and operators will have to lay out:

• The range of threats that have been considered;
• The steps taken to mitigate the identified threats; 
• The steps that have been taken to prepare for and/or respond in the event of an attack; and
• Where steps have not been taken, the reasons why

Further, the risk assessment itself is intended to be a formal document, recorded and retained by venues and organisations as a means of showing compliance with the duty. The protect duty is also likely to compel owners and operators to review their assessments on an annual basis (at least), with changes in risk context inducing additional reviews. 

What changes matter? Both external and internal risk changes would qualify. Examples of a shift in the external risk context include a significant terrorist attack, changes in the Government’s own national terrorism threat level assessment, and/or changes to threat methodologies. An internal risk context shift might include an expansion of the premises, significant increase in staff, or a change in the operation’s business model. 

That’s not all. Beyond the risk assessment, further supporting evidence for compliance is likely to include: 

• Brief summary of risks and actions considered and subsequently taken;
• Completion of certificates from appropriate staff training courses; 
• Evidence of physical security measures implemented; and 
• Evidence of attack response plans and their testing with staff. 

How to prepare to comply with the Protect Duty

So, what happens now? Well, the proposed law has gone to stakeholder groups for consultation. Those groups can respond online or by paper with their reply to the queries raised in the text of the proposal.

The next step would be for policymakers to incorporate responses from stakeholder groups and pass the proposed legislation into law. Groups would likely have a short phase-in period before they have to demonstrate compliance. But that is not certain.

More certain, we argue, is that the heart of the proposals will be passed into law as is, in which case venues and large organisations particularly should begin preparing sooner rather than later to comply with the
following provisions:

• Documented engagement with counterterrorism advice and training, likely to be freely available through the National Counter Terrorism Security Office (NaCTSO)
• Assessment of vulnerability of operating places and spaces
• Documented mitigation (if not control) of risks identified in the above vulnerability assessment
• The putting-in-place and documented testing of a counter-terrorism plan

Much hinges on the risk assessment as measures are meant to be proportionate to identified risk. The key points to consider about that risk assessment exercise are that overall risk is typically the product of multiple factors: threat, vulnerability, and consequences. 

Those underlying factors can change often in high-risk environments, such as popular venues – likely to be the focus of auditory review. As such, continual review and update of the risk assessment will be important even after establishing a risk assessment baseline. This is what’s often referred to as a Dynamic Ongoing Risk Assessment (DORA)^xiv. Indeed, one-time events at large venues may even warrant standalone risk assessments specific to the event.

How to best approach the risk assessment: the audit should itself be proportionate to the venue’s size and presumed risk. That means ensuring that stakeholders with planning, mitigation, response, and recovery (i.e., the full emergency lifecycle) responsibilities are involved in a collaborative approach during its development. Security management technologies might also need to be deployed for the exercise, not just as by-products of the assessment. 

The risk assessment team itself will determine plausible threats to the venue and their relative probability of happening. From there, the team should review each threat carefully to better understand its relation to vulnerability and consequence.

What else? It’s only developing a complete profile of the venue – here, critical assets will be addressed and their importance to operations and command detailed – that will ensure a base layer of data for conducting the mandatory vulnerability assessment in the first place. 

The venue’s profile includes the facility’s name, owner/ operator, address, coordinates, size, capacity, and other high-level facility information, as well as its core operational purpose. You might even consider adding typical events hosted, their frequency, and how the venue is used during them to the profile, as well. Highprofile venues often conduct this level of analysis in coordination with roadway management agencies in order to understand traffic and crowd flows, which can be
risk vectors.

Based off of this profile, the subsequent assessment will account for the venue’s/facility’s susceptibilities to identified threats. This in-tandem approach assumes that attacks on key support infrastructures inevitably lead to cascading consequences. 

Finally, as the proposals themselves mandate, continuous review of the base-line risk assessment will be required. The compliance best-practice, here, is to prioritise continuous review not just through re-assessments but jurisdictional exercises and evaluations, as well. 

Complying with the risk mitigation and planning requirements

Besides the vulnerability assessment, the most tangible measure to demonstrate compliance with the Protect Duty will be the counterterrorism plan, which is one of many means to mitigate the risks created by identified
vulnerabilities. How to address the response planning requirement, then?

Well, response, here, refers to all activities involved in mitigating the damage to your venue and its people created by a terrorist attack. A clear response plan will ensure venues not only address mitigation via security operations intended to reduce risk but also tackle the equally important mitigation of consequences that would likely follow from the incident.

When it comes to venue security, mitigating measures tend to be implemented using a layered approach, with perimeter (outer zone) control specifically balancing safety and security dictates. What this typically looks like operationally is that the outer perimeter – often linked to area transportation – serves as the initial opportunity for the venue to start reducing risk; coordination with the relevant transit operation agency will therefore ne critical.

Add to that, all vehicles docking could pose a threat, so personnel should be thoroughly screened. Similarly, bags pose risk as containers to deliver improvised explosives. 

For the middle and inner zones, mitigation measures might look like periodic sweeps and CCTV cameras to support monitoring and response, though the latter should be used in the perimeter, as well. In fact, venues should have sufficient cameras to provide coverage for all major and minor areas within the venue.

Clearly defined areas and access points limited to appropriate security personnel will also be important for inner zone security, so will addressing all possible intrusion paths identified during the vulnerability analysis, as bad actors might use any method of attack, e.g., food contamination, mail delivery, service repairs, etc. 

A final word: shelter-in-place, partial, and complete evacuations are likely responses to the incidents considered by your venue. What’s more, specific plans might need to be put in place for other likely threat scenarios, such as bomb threat, mail bomb threat, fire, utility outage, hazardous material, civil unrest, active shooter, improvised explosive, vehicle-borne improvised explosive, medical emergencies, etc. 

Those recommendations only scratch the surface. Further, operational best practices include:

• Implementing security tactics prior to, during, and after people access facilities
• If parking areas are present, assigning staff to those areas who are able to relay information to a central command
• Checking vehicles parked in the immediate vicinity of the venue (up to 100 feet) using a predetermined vehicle security screening process
• Employing at least one method of patron screening, e.g., pat-down, wanding, magnometer
  - If employing magnometers, limit the possibility of obstruction during evacuation
• Screening bags entering venues
• Estimating queue length to assess the risk to patrons waiting in line to enter
• Only allowing pre-cleared deliveries; then examining the delivery manifest against contents submitted as well as the credentials of the delivery person 
• Inspecting media vehicles permitted on the premises
• Incorporating random checks of food vendor products as unloaded
• Drafting proper signage for patrons indicating which areas they can and cannot access within the inner zone
• Credentialling using colour-coding to assist in the limiting of employee and patron access only to appropriate areas
• Planning for the possibility of mass fatalities
• Incorporating Government agency best practices as they become available

In all of this, it will be crucial to formalise all assumptions and unwritten plans, then drill all plan policies and procedures regularly via tabletop exercises (or the like) that are quantifiable as well as realistic.

In close, the Manchester Arena bombing exposed the extreme vulnerability of venues and crowded public spaces to the threat of improvised terrorist techniques. The state has acknowledged that its security arm alone cannot control the threat. Martyn’s Law passes part of burden of protecting venues and people onto owners and operators. And although its final contents have yet to be hammered out, venue owners and operators can expect a significant increase in their operational security responsibilities. It is imprudent to wait.

Nor does taking a full lifecycle approach to the management of terrorist threats and incidents, as outlined in the guide, require owners and operators to wait for final legislation. For that matter, investing in the appropriate integrated security management software, like Noggin Security, which brings the appropriate risk, information, and incident management capabilities to the management of all security incidents, threats, and operations, doesn’t either. Do both to start protecting your people, publics, and property today, easing your path to compliance. 

Citations

ⁱ     BBC: Manchester attack: What we know so far. Available at https://www.bbc.com/news/uk-england-manchester-40008389

ⁱⁱ     Helen Pidd, The Guardian: Manchester Arena bomb was designed to kill largest number of innocents. Available at https://www.theguardian.com/uknews/2017/jun/09/manchester-arena-bomb-designed-kill-largest-number-innocents.

ⁱⁱⁱ     C: Manchester attack: What we know so far. Available at https://www.bbc.com/news/uk-england-manchester-40008389.

^iv     Ibid.

^v     Ibid

^vi     BBC: Terror threat level raised after Manchester attack. Available at https://www.bbc.com/news/av/uk-politics-40022988.

^vii     Ibid.

^viii     BBC: Manchester Arena blast: 19 dead and more than 50 hurt. Available at https://www.bbc.com/news/uk-england-manchester-40007886.

^ix     Jack Shepherd, Independent: We Are Manchester: Tearful Noel Gallagher reopens Manchester Arena, performs 'Don't Look Back in Anger'. Available at https://www.independent.co.uk/arts-entertainment/music/news/noel-gallagher manchester-arena-we-are-manchester-concert-tears-liam-prstunt-a7938746.html.

x     BBC: Finsbury Park mosque attack. Available at https://www.bbc.com/news/topics/c6xq807pw50t/finsbury-park-mosque-attack

^xi     Parsoms Green attack: Iraqi teenager convicted over Tube bomb. Available at https://www.bbc.com/news/uk-43431303.

^xii     Survivors against terro: Martyn’s Law: Proposed new legislation to provide better protection from terrorism for the British public. Available at https:// democracy.manchester.gov.uk/documents/s13150/Appendix%201%20-%20Martyns_Law_Final_Report.pdf

^xiii     Ibid

^xiv     Command, Control and Interoperability Center for Advanced Data Analysis: Best Practices in Anti-Terrorism Security for Sporting and Entertainment Venues Resource Guide. Available at http://ccicada.org/wp content/uploads/2017/05/Best-Practices-Anti-Terrorism-Security-Resource-Guide.pdf