Exclusive: Complying with Protect Duty

On 22 May 2017, Salman Ramadan Abedi, an Islamist extremist suicide bomber detonated a shrapnel-laden Improvised Explosive device (IED) as people were leaving the Manchester Arena following a concert by American singer Ariana Grande.

23 people died, including the attacker, and 1,017 were injured, some of them children. Several hundred more suffered psychological trauma.

In a subsequent inquiry, criticism of event management at the arena prior to and during the attack was made by the inquiry chair, the result being a call for legislation referred to as Martyn’s Law. Martyn Hett was killed as a result of the attack and efforts have been made to introduce appropriate legislation, now known as Protect Duty

“There ought to be a risk assessment for every venue. A specific risk assessment for each event which involves the attendance of a substantial number of people. All risk assessments for large concert venues should include consideration of the risk of a terrorist attack. Inadequate consideration of that risk may result in incorrectly identifying a low risk. This in turn may cause those responsible for security to be insufficiently alert.”

Report of the Public Inquiry into the Attack on Manchester Arena on 22 May 2017

Chairman: The Hon Sir John Saunders.

“We consider that it is reasonable for publicly accessible venues able to hold gatherings of 100 persons or more to carry out an assessment of threats and implement appropriate mitigating measures at their premises.

We propose that risk assessments required by the Duty should demonstrate:

• The range of threats that have been considered.

• The steps that have been subsequently taken to mitigate these threats.

• The steps that have been taken to prepare for and/or respond in the event of an attack.

• Where steps have not been taken, the reasons why.”

Protect Duty Consultation:

Making the public safer at publicly accessible locations

2021

The Risk Journey: Assess, Survey, Audit

Whilst I agree with both of the above statements, my concern is that those responsible for the security of such venues may feel exposed through a lack of subject matter expertise and will consequently struggle to understand and carry out the process of achieving the requirements of Protect Duty.

The aim of this article is not to prescribe a set of technical solutions in relation to terrorism and publicly accessible locations, nor to point the finger of blame; rather it is to offer rudimentary advice and guidance to lay persons who may struggle and feel unable to comply with the relevant security and risk management legislation.

In the forthcoming book The Security Risk Handbook: Assess, Survey, Audit, I argue that the process of protection is defined by the order in which the three elements are carried out (assess, survey, audit), The Risk Journey.

Based on my experience, I would now like to take the opportunity to advise how, by using The Risk Journey approach, those responsible for ensuring that Protect Duty is complied with will be able to utilise a logical process to protect their locations and consequently people therein.

Note.

The Security Risk Assessment, the Security Survey and the Security Audit should be carried out by a Subject Matter Expert (SME) with relevant qualifications and experience.

The Security Risk Assessment

The Security Risk Assessment (which can be carried out remotely) is the foundation for the process and is based on an understanding of the following risk elements:

• Assets.
• Vulnerabilities.
• Threats.
• Likelihood.
• Impact.
• Treatment.

The first task that the Security Risk Assessor must carry out is to identify the assets that he or she is tasked with protecting; examples being people, property, infrastructure, brand and reputation.

After asset identification, the Security Risk Assessor should carry out a vulnerability and threat assessment, during which he or she, using a variety of research methods, will identify the vulnerabilities found at the location, such as weak access control, poor or inappropriate physical (including manned guarding) and electronic security systems. The assessor will then carry out a researched assessment to identify what threats may be identified and who the aggressor (s) may be. In terms of Protect Duty, the critical threat emanates from terrorist organisations.

Once the vulnerability and threat assessments have been carried out, the next task is to measure the likelihood of an attack. In order to achieve this, the Security Risk Assessor will examine past attacks against similar venues, the attractiveness of the asset to the aggressor, the threat level and the expected impact.

The assessor will then formalise the Security Risk Assessment by multiplying the likelihood of an attack against the impact of its success, which will result in a risk factor.

The final part of the Security Risk Assessment is when the findings of the assessment are presented to the risk owner and he or she will make a decision about how the risk is to be treated if it is not accepted. The risk will be either, avoided, reduced, spread or transferred.

Incident Response Plan

As part of the Security Risk Assessment (SRA), the assessor should also take into consideration the requirement for the venue security team to have the capacity to respond effectively to a range of threat scenarios. An Incident Response Plan should be written and then tested on a regular basis.

The Security Survey

The Security Risk Assessment can be carried out remotely, as it is based on robust research, but the Security Survey is a ‘boots on the ground’ process, when all systems and processes are physically examined to determine their appropriateness.

End users of systems such as CCTV, IDS, access control etc. can normally offer a reasonable assessment of how systems are functioning, but the Security Surveyor should have the competence to judge if the same systems are technically fit for purpose.

The Security Survey should be divided into six distinct phases:

• Agreement of the scope of work

This is a critical phase, as both parties must be in agreement about the work to be carried out. Issues such as times, locations, personnel etc. should be discussed and agreed during this phase of the survey.

• Research

The Security Surveyor needs to have an understanding of the organisation to be surveyed, including areas such as:

• Company business operations.
• Crime in the immediate area.
• Previous security surveys.
• Cost.
• Time etc.

• Preparation and planning

This will include, but is not exclusive to:

• Maps and diagrams of the area and the building.
• Equipment. Camera, dictaphone, laser measuring tool etc.
• Authorisation to carry out the survey.
• Changes in laws and regulations.
• Social media and how the organisation is represented.

• The physical survey (boots on the ground)

This is the opportunity for the Security Surveyor to inspect all physical systems and procedures, including an examination of whether such systems are fit for purpose, whilst concurrently speaking to critical personnel on site who may influence security and risk management. During this inspection phase, the Security Surveyor may recommend an upgrade or replacement of particular systems.

• The debrief

Once the Security Surveyor has completed the survey, he or she must set aside time to debrief the point of contact, in order to deliver an overview of their findings. This is also an ideal opportunity to point out any ‘quick fixes’ that can be attended to immediately.

• The Security Survey report

The debrief should be followed by a comprehensive Security Survey report, delivered during an agreed time period. Security of the report must be taken into consideration, as it is likely to contain sensitive information and data and very often hand delivery is a requirement.

During the survey, security standards for the location should be agreed with the client, to be followed sometime later by a Security Audit.

The Security Audit

The Security Audit is a means of ensuring that the results of the Security Survey are being adhered to. That is to say that all standards, whether internal or external (BSI/ISO), identified during the Security Survey have been recorded and there is evidence of compliance.

Security training and communications

Finally, we must ensure that lessons have been learned from the Manchester Arena attack, in particular the need for effective security training, preferably to SIA standards. Event management teams must also ensure that systems are in place that offer an effective reporting system which allows members of the public to communicate any worries and concerns to the relevant authorities.

Summary

Every publicly accessible space in the UK requires protection from the threat of terrorism. The government can pass legislation that demands such action is taken, but the responsibility lies squarely with us.

The police will always be in support, but the security industry must pool all of its vast resources to ensure the highest-rated levels of protection are provided to keep our men, women and children safe.

The inquiry may have found deficiencies on the night of 22 May 2017, but the time for blame is over and we must now learn very painful lessons to make sure that Manchester never happens again.

By Charles Swanson MSc CSyP FSyI

You can connect with Charles here