Lessons learned from the Manchester Arena Inquiry: Developing leading practices for securing venues of mass gathering against the terrorism threat

The Manchester Arena bombing and the deadly year of 2017

As 2017 began, the U.K. had gone over a decade without suffering a large-scale bombing attack – the last incident being the central London bombings of July 2005. 

All that would change on 22 May.

Around 22:30 BST time, a home-made bomb detonated in the foyer of Manchester Arena, just as an Ariana Grande concert, attended by more than 14,000, was letting out. 

Although homemade, it was a bomb intended to inflict mass damageⁱ, with sufficient force to kill anyone up to 22 metres awayⁱⁱ. 

Confirmed as a terrorist attack and suicide bombing, the incident precipitated 240 emergency calls, with sixty ambulances and 400 police officers attendingⁱⁱⁱ.

All told, 23 people lost their lives, including the perpetrator, 22-year-old Salman Abedi^iv. An additional 116 people were admitted to the hospital^v. 

The terror organisation, ISIS claimed credit for the attack^vi. And this association with organised terror compelled authorities to raise the country’s terrorism threat level to “critical”, the first such move in a decade^vii. 

Manchester’s railway station was also badly damaged by the blast. It was evacuated and closed the night of the incident, only to open eight days later^viii. 

Manchester Arena, however, would stay closed until September 2017^ix. 

By the time the venue reopened, the U.K. had already experienced another deadly incident in a crowded public space. On 19 June, Darren Osborne drove a van into a crowd of pedestrians near Finsbury Park Mosque in north London, killing one man^x.

Months later another public space became the site of a bombing attack – this time the Parsons Green Tube, where a bomb only partially exploded on a London Underground train, injuring 50 people^xi. 

The take-off in DIY terrorism

Following the attacks, all could agree that measures to prevent acts of terrorism needed to evolve. Indeed, context had changed, with social media platforms broadly disseminating terrorist propaganda. The rise of “DIY” terrorism, in particular, wasn’t always reflected in counterterrorism measures.

The increasing popularity of DIY terrorist techniques – whereby “lone wolves” use any means at their disposal, from crudely crafted explosives, cars, knives, etc. to target crowded and/or open spaces – served also to expose a critical security vulnerability.

How so? Rather than being able to track multiple actors building complex explosives and coordinating across multiple cells and targets, DIY terrorism seemingly target crowded and/or open spaces at random^xii. 

The spaces themselves aren’t targeted by happenstance. Crowded places abound. The U.K., specifically, counts 650,000 such spaces, according to the advocacy group Survivors against terrorism. On the other hand, the percentage of spaces that receive direct support from state counter-terrorism networks is less than one percent.

This crucial context inflects the first volume of the (three volume) public inquiry to investigate the deaths of the victims of the Manchester Arena attack. Published in 2021, the first volume focuses on the security of the Arena^xiii.

The volume not only details security lapses leading to the high-casualty event but also provides recommendations for securing venues of mass gathering going forward. This guide will detail many of the recommendations. For, they offer a set of leading practices valuable to stakeholders involved in the security of venues of mass gathering. 

In addition, this guide will also outline many of the digital capabilities needed to implement leadings practices. This is with the hope that venue owners and operators as well as other stakeholders (e.g., event management and security as well as crowd management subcontractors) can better ensure the safety of workers and venue attendees, stay within legal and regulatory strictures, mitigate property damage and other associated costs, as well as avoid reputational damage.

Global lessons from the inquiry into the Manchester Arena bombing

So, what can be learned from the Inquiry?

For starters, security arrangements for the Manchester Arena should have prevented or minimised the devastating impact of the attack but failed to do so. 

The most striking of missed opportunities was the attempt by a member of the public to bring concerns about the bomber, whom he had already challenged, to the attention of security staff employed by the crowd management and event security subcontractor.

Why weren’t the appropriate steps taken, then? The issues cited include:

• A lack of radios for lower-level security staff to raise concern initially
• When reported again (to the same Security person) by another member of the public, the staffer thought the report was about someone different 
• Once a member of staff with a radio was found, overuse of the radio channel prevented the report from being acknowledged 
• Lack of collaborative reporting between the owner and operator of the arena, its crowd management and security subcontractor, and the British Transport Police

Further lapses occurred. For instance, the Inquiry heard testimony from staffers decrying the quality of the training they had received. In one case, no trainings were conducted in person. In another, candidates were told the answers to the exam questions beforehand.

Risk assessments found to be inadequate

The Inquiry also faulted the quality of the risk assessments developed. Indeed, the risk assessments of both the arena operator and crowd management and event security subcontractor were heavily criticised.

Why?

The Inquiry concluded that the risk assessment of the arena operator failed to adopt a rigorous approach to the assessment of the risk of terrorism. Nor did the risk assessment identify what steps should be taken to reduce that risk should it materialise.

The specific risk assessment for the concert was considered inadequate, as well. Having descended into a box-ticking exercise, the risk assessment failed to identify the terrorism threat as a potential hazard. 

Why did it matter? Should an effective risk assessment process been undertaken, concluded the Inquiry, such a process would have identified significant deficiencies in security arrangements.

Similarly, the risk assessment of the crowd management and event security subcontractor was found deficient. Relevant staff failed to “notice the obvious and significant errors in the general written risk assessment in relation to the threat from terrorism to its employees”

The subcontractor didn’t have a general written risk assessment regarding the threat from terrorism in relation to event goers or other members of the public. Nor did the subcontractor seriously consider the risk of a terrorist attack and what steps it should take to mitigate the risk. And the document used to consider such matters failed to identify the use of patrols as a mitigation measure. 

Finally, both parties were faulted for failing to account for the steps taken by the other when conducting risk assessments. The necessary level of communication, coordination, and co operation was not achieved, nor did either party take steps to reach out to the relevant police force.

The regulatory regime

The latter point matters as it potentially put both parties crossways of the Management of Health and Safety at Work Regulations, 1999. This regulation requires employers to conduct a suitable and sufficient assessment of the risks to health and safety both in relation to employees and non employees arising out of, or in connection with, the conduct of its undertaking. Any employer who employs five or more people must record “the significant findings of the assessment”.

What about workplaces shared by multiple employers, as was the case in this venue of mass gathering and is likely to be the case in other such gatherings? 

There, the law stipulates that each employer is required to take reasonable steps to:

1. Cooperate with other employers in relation to health and safety duties 
2. Coordinate with other employers in relation to health and safety duties 
3. Inform other employers of the risk to their employees’ health and safety arising out of its activity

The event stakeholder might also have run afoul of its licensing commitments. For one, arena staffers carrying out searches didn’t have the required qualifications stipulated in the arena’s licence.

The premise’s licence also stipulated that a minimum number of stewards, as agreed by the local authority, should be provided. This kind of provision is intended to ensure a sufficient number of stewards and security staff to manage the crowd and monitor the area for threats. 

The Inquiry reported, however, that an agreed minimum number of staffers could not be found. Nor was there any supporting evidence that that number had ever been agreed to.

Developing leading practice in venue security based on Inquiry recommendations

Of course, complying with health and safety and licencing law is no guarantee that terrorism won’t happen at venues of mass gathering. More is needed to protect these venues.

Indeed, what qualifies a venue as a place of mass gathering is that it has the high potential to inspire terrorist attacks; and it only becomes so by concentrating large numbers of people (usually in larger cities) in accessible places.

In its recommendations, the Inquiry goes into what the practices to secure venues of mass gathering against the terrorism threat might look like. It advises venue operators and relevant stakeholders to continue to pay heed to the overarching terrorist threat, especially when that threat level is “severe,” meaning that a terrorist attack is highly likely. 

Further recommendations for hardening venue security include (1) providing site-specific risk assessments, as well as (2) specific assessments for each event which involves the gathering of substantial numbers of people. 

The risk assessments of large concert venues should include a serious consideration of the risk of terrorist attack, as well.

Another leading practice involves (1) noting all suspicious behaviour by event-goes or members of the public in proximity to the venue. All suspicious behaviour should be (2) reported promptly, so that investigations can be made and action taken.

Staffers should also (1) make a record of hostile reconnaissance for immediate reporting to law enforcement. Law enforcement, for its part, should (2) investigate the matter and report back. Subsequent briefings to security staff should (3) include details of the suspected hostile reconnaissance.

A further recommendation is ensuring cooperation between all relevant stakeholders. All stakeholders should consider themselves as having a duty to protect. Not just that, all stakeholders should only consider themselves as having discharged that duty by cooperating, communicating, and coordinating with all other duty-holders^xiv.

Some of these recommendations will be codified into law with the passage of Martyn’s Law, which will enshrine the protect duty. The Law, after all, would require the (a) preparation of a comprehensive risk assessment, (b) identification of control measures, and (c) explanation of how these measures will be implemented.

Many of the legal requirements proposed, however, only establish a floor (not ceiling) for what’s needed to secure venues of mass gathering.

What more is needed?

The Inquiry advises venue operators and other stakeholders to (1) seek out trained, accredited expert guidance when developing Protect plans. The provision of adequate training (2) should itself be a key control measure within the plan as well as (3) consideration of the need for enhanced training for those in roles which require it.

Another leading practice is establishing and maintaining shared situational awareness amongst all event stakeholders. As noted, members of the public made staff aware of the terrorist’s presence. That information, however, didn’t reach the level of personnel who would appropriately act upon it.

Reasons cited for this lapse in situational awareness included a lack of radios for lower-level security staff and subsequent overuse of the radio channel when a radio was found. But this rationale only suggests that if all staffers had radios, the waves would have been congested even further. 

There are further challenges with relying on radios to establish and maintain shared situational awareness. They include:

• Range and signal can significantly vary, with “blackspots” being more common in venues due to sound proofing and cladding to improve acoustics 
• Communication is voice reliant and misinterpretation amongst personnel is a common trend. 
• Information shared is not tracked, recorded etc. unless there’s a central receiver to record messaging which is difficult to access and assess during critical events. 
• Maintaining and managing the distribution amongst staff 
• Short battery life 

Costs associated with wider radio introduction can also be prohibitive. The hardware itself is expensive, and its proper use requires training which takes time and money

Digital technology solutions to help establish shared situational awareness

Indeed, the complexities of establishing shared situational awareness via radios or even face-to-face interactions are myriad in the venue of mass gathering context. There’s often an over-expectation of merging disparate processes (i.e., using a radio, performing threat assessments, understanding escalation stages, etc.) on those who have received rudimentary training.

Certain digital software platforms, however, have focused on targeting these pain points, with solutions designed to help establish shared situational awareness from any source. 

How do they work? Relevant capabilities are accessible to the public, staff, and responders, ensuring that those in command roles can quickly obtain the evidence needed to act swiftly to a range of different incidents. 

In the event scenario, the process would likely resemble this:

1. Public member identifies aggressive behaviour during an event and wishes to report it 
2. Member scans a QR code, providing access to an initial incident report, which allows the user to populate the following drop-down fields:
   a. Exact location 
   b. Type of incident, with multiple options  available with a drop-down list 
   c. Media upload if the member has recorded a  video or taken a picture 
3. Once submitted, the form will create a new incident dashboard, notifying those in command to assess the information provided and escalate or de-escalate the incident
4. If escalation is required, localised teams and action plans can be activated, with all staff having a clear awareness of the incident
5. Those in command roles can then update the incident, formulating a M/ETHANE message^xv, which can automatically activate the emergency services

Digital technology to improve the event coordination lifecycle

To improve event coordination, teams are likely to heed the Inquiry’s global recommendations to review, identify shortfalls, and build improved checklists and procedures, 

How are staffers likely to act upon these recommendations?

Staffers most likely will build more stringent, regimented processes within the systems or platforms they already have. They might even look to other system or platform providers for support or attempt to make changes themselves.

Each of these approaches, however, carries pitfalls, beginning with the fact that they are likely to be costly and time consuming. 

The teams tapped with making such changes might also get tunnel visioned. And that tunnel vision is likely to come at the price of focusing on securing venues. Teams might also fail to share improvements or stress test new procedures and process, which might lead to unforeseen flaws. 

Organisations that already boast basic platforms for managing safety practices, training records, and generalised governance might try to stretch their solutions to fit the event coordination and security use case. 

Why does it matter? Few platforms exist to effectively facilitate multi-organisation coordination. That matters because correspondence and information sharing will continue to be done through email and personal meetings. 

Stakeholders responsible for managing the full event lifecycle will, therefore, continue to bear the added burden of transferring relevant data manually, to ensure the appropriate situation reports, briefings, safety reports, and more are captured before, during, and after the event. 

Fortunately, there are platforms on the market that can facilitate this level of full lifecycle coordination. They provide the further benefit of leaving an audit trail behind that captures active participation and acknowledges information was received at every stage of the life cycle. 

How do these platforms help? Digital capabilities to enhance the event coordination throughout its entire lifecycle include:

Pre-event

• Determine counter terrorism plan 
• Determine responsibilities and primacy for the event
• Submit results of hostile reconnaissance to case management review
• Perform appropriate threat assessments
• Determining appropriate threat level perimeters
• Facilitate safety and security briefings

During the event

• Provide visual awareness of status for all security staff
• Enable public and lower-level staff to submit incident forms into event dashboard
• Medium/ high level security staff, present BTP/ Police etc. being notified of submitted material.
• Enable Security leads to assess and change threat level, activate new perimeter, by activating the relevant team and individual procedures
• Provide checklists with guidance, to ensure staff performs tasks (e.g., surveillance and egress management) correctly and avoids complacency

Post event

• Facilitate the debriefing process
• Provide safety reporting functionality
• Close out procedures which can ensure zonal operations can be adequately shut down
• Performance management and review of tasks 
• Highlight areas for improvement

Finally, the Manchester Arena bombing was the work of one evildoer. But that evildoer skilfully exposed the extreme vulnerability of venues and crowded public spaces to the threat of improvised terrorist techniques.

Those most responsible for the security of staff, the public, and attendees were also deficient, as the Inquiry concluded. 

Going forward, venue owners and operators along with the event management and security teams they contract must do better. Recommendations made by the Inquiry are a good place to start.

Given the threat, though, more is likely to be needed, such as investing in the appropriate integrated security management software solutions. These platforms bring advanced risk, information, and incident management capabilities to the management of all security incidents, threats, and operations. They serve the greater purpose of helping venue and event stakeholders to protect their people, publics, and property, easing them on the path to present and future compliance.

Sources

^i. Helen Pidd, The Guardian: Manchester Arena bomb was designed to kill largest number of innocents. Available at https://www.theguardian.com/uknews/2017/jun/09/manchester-arena-bomb-designed-kill largest-number-innocents. 

^ii. BBC: Manchester attack: What we know so far. Available at https://www.bbc.com/news/uk-england-manchester-40008389. 

^iii. Ibid.

^iv. Ibid. 

^v. Ibid.

^vi. BBC: Terror threat level raised after Manchester attack. Available at https://www.bbc.com/news/av/uk-politics-40022988. 

^vii. Ibid.

^viii. BBC: Manchester Arena blast: 19 dead and more than 50 hurt. Available at https://www.bbc.com/news/uk-england-manchester-40007886. 

^ix. Jack Shepherd, Independent: We Are Manchester: Tearful Noel Gallagher reopens Manchester Arena, performs ‘Don’t Look Back in Anger’. Available at https://www.independent.co.uk/arts-entertainment/music/news/noel-gallagher-manchester-arena-we-are-manchester-concert-tears-liam-prstunt-a7938746.html.

^x. BBC: Finsbury Park mosque attack. Available at https://www.bbc.com/news/topics/c6xq807pw50t/finsbury-park-mosque-attack. 

^xi. Parsoms Green attack: Iraqi teenager convicted over Tube bomb. Available at https://www.bbc.com/news/uk-43431303. 

^xii. Survivors against terror: Martyn’s Law: Proposed new legislation to provide better protection from terrorism for the British public. Available at https://democracy.manchester.gov.uk/documents/s13150/Appendix%201%20-%20Martyns_Law_Final_Report.pdf. 

^xiii. Volume two, beyond the scope of this guide, covers the emergency response to the terror attack. The final volume remains unpublished

^xiv. Martyn’s Law would establish an affirmative duty to protect. For more on Martyn’s Law, download https://www.noggin.io/resources/guide-tounderstanding-the-protect-duty-and-martyns-law. 

^xv. M/ETHANE is the established reporting framework in the U.K. It provides a common structure for responders and their control rooms to share incident information.