The Need for Martyn's Law

Legislation and Regulation for the Protection of Crowded Places 

The suicide bombing attacks against concertgoers at the Manchester Arena in 2017 has given rise to a new campaign to change the laws in the UK related to the protection of public venues against terrorism. Under new proposed legislation, “Martyn’s Law” named after one of the victims in Manchester, protective security and counter-terrorism would become mandatory requirements for public venues capable of accommodating large numbers of people, commonly known as ‘crowded places.’ The thrust of the proposed legislation is similar to existing health and safety or fire safety legislation that mandates owners and operators of buildings and venues to address potential terrorism risks and have a viable counterterrorism (CT) plan. Campaigners for Martyn’s Law include not only victims’ families, but former counterterrorism police officers, including Andrea Bradbury and Nick Aldworth. In a BBC Radio 4 interview with Figen Murray and Nick Aldworth on June 19th, when asked whether this type of law would help improve counterterrorism protection efforts, Nick Aldworth was unequivocal in his support. 

The thrust of the legislation should be welcomed and would further bolster the efforts by many of us in both the public and private sectors who work to protect people and buildings against terrorism. For years, security risk management professionals have been calling for changes that would strengthen the requirement for security at publically accessible spaces, places, and venues. Security, let alone counterterrorism, has traditionally been seen as a subset of health and safety, facilities management, or building services engineering with an overemphasis on operational and technological measures. Security is often seen as a cost that does not contribute to a business’ bottom line, and therefore is sacrificed for greater profitability. 

Counterterrorism protective security is almost entirely thought to be the province of the police and security forces, and not the responsibility of property owners. 

Existing legislation such as the Corporate Manslaughter and Corporate Homicide Act of 2007, the Occupiers’ Liability Act, and health and safety legislation in the UK is purely reactive, and does little to deter, prevent, or protect against an attack, as it only makes someone accountable afterwards.  The current system is simply not good enough; whether that be through poor risk identification; inconsistency within the security industry to properly advise property owners; and almost an attitude by property owners to deny the risks or readiness to simply accept identified risks under the auspices that it is too difficult or expensive to treat. Perhaps more importantly, no one is making them do anything about it and there are few incentives.

The inquests into the Manchester and London Bridge attacks in 2017 have highlighted significant failings to recognize the obvious risks and be prepared for them before they occurred. This is an interesting paradox in that there are mandatory requirements related to the number of toilets or fire safety measures for publically accessible premises to proactively mitigate these risks, but not for property owners of crowded places to proactively address the counterterrorism risks facing their properties and their customers. The lack of performance based regulation that mandates crowded places property owners and operators to adopt a security risk management program, and demonstrate how vulnerability to terrorism and risk is reduced, can and should be addressed. Perhaps now public opinion and the threat of litigation may be the necessary push for more to be done.

How did we get into the current situation?

For most property owners, terrorism is the classic example of a low likelihood high consequence risk scenario, with the typical response being to accept the risk and do nothing, especially if nobody is forcing them to do anything about it. Unfortunately, the dynamics of terrorism across the world have dramatically changed including threat actors, attack methodologies, and targets. The terror attacks in Manchester and London in 2017, as well as Paris, Nice, Barcelona, Las Vegas, Istanbul, and numerous others in recent years demonstrate that both publically accessible spaces and places, regardless of private or public ownership, will be targeted. It is also likely that the current trend of targeting privately owned but publically accessible spaces and places by terrorists and other socio-politically motivated violent actors will continue. Terrorists do not respect or care about property boundaries or the complexities of ownership and operation. What they care about is maximizing the impact of their attacks knowing full well that an attack on a privately owned but publically accessible property will impact not only the individual human casualties they cause, but the property owner, economic sector, and ultimately the government. 

As such, terrorism is a societal issue and requires a response from the whole of society and not simply governmental agencies charged with intelligence and law enforcement.  The UK has many different agencies and organizations that work to address the protection of ‘soft targets’ against terrorism such as Counter Terrorism Policing (CTP), the National Counter Terrorism Security Office (NaCSTO), and the Centre for the Protection of National Infrastructure (CPNI). In August 2018, the National Planning Policy Framework (NPPF) was updated to reflect the unfortunate reality that premises may be subjected to a wide range of ‘malicious threats’ and that those locations that attract high densities of users may be targeted by terrorists. Under NPPF 2018 new development applications must be able to evidence that they have fully considered these risks when developing their layout and design proposals and this should necessitate the involvement of security specialists within design teams. 

Unfortunately, few planners have little time to review every development, and the ability to intelligently and rigorously determine how well risks have been addressed is a specialist discipline. 

Counter Terrorism Security Advisors (CTSAs) who are part of NaCTSO, but embedded in local policing authorities once had significant training, skill, and ability to serve this purpose in conjunction with the planning authority. But cuts to resources and a weak legislative base have resulted in a ‘something is better than nothing’ approach, significantly degrading any real capacity to make change.  While the NPPF is there, these factors give rise to questions over the effectiveness of the current system. 

In the UK and most modern Western societies there are rights associated with property ownership that underpin our democratic and economic structures. Moreover, and rightly so, civil liberties and rights are hallmarks of our societies and legal frameworks that constrain swift, arbitrary, and potentially heavy-handed governmental responses to security threats. 

Therefore, in the absence of a clearly articulated public policy demand and a balanced approach to security legislation and regulation in the built environment, government is limited in what it can and cannot mandate without risking the perception of government overreach. As a result, up to now everything from the government is simply guidance or recommendations and are not mandatory, even for properties that would clearly meet NaCTSO’s existing criteria for inclusion into a Crowded Places Protection Program. There are currently no requirements on existing crowded places venues to demonstrate how a development has reduced vulnerability and risk, nor are there any statutory requirements related to response planning and coordination with first responders. DOCOs, CTSAs, and CPNI provide advice, but they are not designers and do not take design responsibility.

The sad reality is that there needs to be greater recognition of the duty of care of property owners, regardless of whether they are a public or private entity, to protect the users of their spaces and places. If schools in the UK are now required to develop CT plans and teach students how to react to a terrorist incident, then how can it not be a legal requirement for crowded places to do more to reduce their risks? Venues and operators derive significant commercial gains and benefits from large scale events, and it is not too much to ask them to demonstrate how they protect the people from whom they are deriving their financial gains. We should reject the model of complacency and the ‘it won’t happen to us’ attitude of many – it can happen, it does happen, and the impacts on people, businesses, and society need to be recognized and those responsible held accountable.

Potential Model

While Martyn’s Law may usher in new requirements for the UK, it is not a new paradigm when compared to other practices in other parts of the world, namely Abu Dhabi in the United Arab Emirates. Despite the differences in governmental structures between the UAE and the UK, the UAE took the UK’s excellent crowded places model and developed it several stages further. In 2013, the Abu Dhabi Executive Council ratified and approved the Safety and Security Planning Manual (SSPM) as well as the creation of the Abu Dhabi Crowded Places Protection Program. The SSPM and Crowded Places Protection Program are performance-based security regulatory public policy and implementation programs, that mandate property owners and developers to understand their security risks and demonstrate how they reduce vulnerability and risk. This is because it is recognized that an attack against a private or commercial venue will significantly impact economic sectors, civil society, and the government. The SSPM and Crowded Places model has very few prescriptive requirements primarily because each building and development, and its context is unique, but it does mandate the security review process, the use of qualified security specialists within the design team, and a tangible reduction in vulnerability. 

Unlike current practices in the UK where this security function is housed within the police or security services, in the Abu Dhabi model the responsible agency was the planning authority. The simple logic for this rests in the existing regulatory role that the planning authority has over the built environment and the economic operators and owners within that framework. For new developments this worked well, while for existing crowded places developments the mandate for change is most effective when delivered by a security entity with statutory authority. The evaluation of whether the development has sufficiently reduced vulnerability and risk to acceptable levels is made by the government. However, it is a process that engages property owners, urban planners, development consultants, security consultants, and the government working collaboratively towards a defined outcome, which may be different for each development. In order to be approved, security cannot be simply an afterthought or a retroactive application of security products to a development, but it must be a deliberately produced outcome of the planning and design process. For any new development, this requires engagement of security risk and strategy specialists at the earliest stages of the development cycle, as well as engagement with the government security regulators and specialists. However design freedom is important, and to ensure we continue to create amazing spaces and places, we need to set the security outcome and not define the solution. This enables architects, planners, and designers to find intelligent, creative, and engaging solutions to security problems and helps to form the defensive case demonstrating inherently lower vulnerability to and risk of terrorism while being balanced with other development objectives. 

While the SSPM provided safety and security advice to all developments within the Emirate of Abu Dhabi, the Crowded Places Protection Program applies only  to a small percentage of properties that are deemed to be at risk of terrorism. These properties became part of a discrete risk register, which captures existing crowded places and new developments. The Abu Dhabi Crowded Places Protection Program was modelled on the UK’s program, but with crucial differences being the uthority of the government to mandate change by the property owner for both new and existing developments.  The successes achieved by the program have not been widely publicized, but resulted in internationally leading examples with tangible and measurable vulnerability and risk reductions through integrated planning and design.  

Moving Forward

The UK has some of the best CT response capability in the world, but is behind when it comes to proactive protection. The security professionals who were the authors and implementers of the SSPM and the Abu Dhabi Crowded Places Protection Program are currently reunited at BB7 in the United Kingdom. We specialize in security and counterterrorism policy development and risk management consulting in the built environment. 

We believe that a performance-based regulatory system for counterterrorism security at crowded places is necessary now more than ever. But if a regulatory model is not forthcoming there are existing schemes in place, such as SABRE delivered by BRE, that venue and property owners can use to help them identify their risks and document their security risk management processes and decision-making. Property owners can and should take a proactive approach to security risk management, if not for the intended outcome of protecting their assets and customers, then to mitigate the risk of reactive prosecution under existing legislation.

The way forward is not about creating fortresses or excessive overt security, but it is about proportionate, appropriate, and effective security specific to terrorist attacks. 

It is about competent security advice provided by qualified and experienced consultants who are capable of working with planners, designers, and security authorities. It is also about providing venues with an audit trail of security decision-making that co-opts government and private owners into creating a defensible security case against those who would argue that more could or should have been done.

If enacted Martyn’s Law and the regulatory model following on from the legislation will be a game-changer across multiple industries in the UK.  While it may present additional requirements, it will also present additional opportunities economically, politically, and socially. There is a growing trend and realization within government it cannot deal with the issue on its own. Authorities such as CPNI publically advocate for a greater role of the private sector to take responsibility as owners, but also their increased recognition of qualified and experienced security consultants working with informed design teams to help achieve the outcome of greater protection. No longer will the approach of ‘something is better than nothing’ be acceptable. Perhaps existing venues that cannot demonstrate fitness for the purposes of holding large-scale events in light of the risks, should be repurposed, or new fit-for-purpose facilities developed thus providing new economic opportunities. 

There is great potential for a sustained and new leading security regulatory practice to be implemented and championed by the UK that emphasizes holistic risk-based security strategies that are fit-for-purpose, achieves outcomes, fosters greater coordination and collaboration, and holds risk owners accountable. However, there are significant risks associated with improper administration and implementation of such an ambitious law. There must be a champion that will resist the temptation to go down a prescriptive regulatory route that specifies products outside of a viable risk-based strategy, but rather places emphasis on processes and outcomes.  

Author - Aaron Thatcher

Aaron is an Associate Security Consultant at BB7, where he focuses on strategic security risk management consulting to reduce vulnerability and risk for organizations and projects.

Prior to joining BB7, he spent twelve years in the Middle East working across a range of different levels including operational security, strategic security risk management consulting, and governmental regulatory policy implementation.  

Email: [email protected]

Website: www.bbseven.com