Following the London 7/7 terror attacks that targeted the U.K. capital’s public transport infrastructure, the need for added vigilance against the threat of terrorism became a high priority. Despite the various measures taken, a decade later, the Manchester Evening News Arena fell victim to an atrocity that sent shockwaves worldwide as 22 people were killed and many more were injured and traumatized attending a pop concert.

To investigate the incident thoroughly, the U.K. Home Secretary established the Manchester Arena Inquiry in the October of 2019, which examined the security arrangements at the venue. A report published by the Inquiry in July 2021 determined that numerous opportunities to prevent the attack and reduce the death toll were missed. The list of failings included:

  • Inadequate risk assessments – and threat mitigation.
  • A lack of understanding among security staff of the terror threat.
  • Failing to take the proportionate measures to the reports of the attackers’ suspicious behavior and a lack of perimeter security would have led to the bomber being searched.

The report includes a range of recommendations, including a new ‘Protect Duty’ law, which would apply to owners and operators of public venues, large organizations, and those responsible for public spaces. The proposed legislation would require these entities to factor terrorist threats into their strategic planning and implement proportionate protective security.

In this piece, we look at what the Protect Duty law in the U.K. will look like, how it might impact legal requirements in other countries, and how security professionals in the U.S. and beyond can use the findings of the inquiry to fulfill their ethical responsibility to keep visitors and staff as safe as possible.


A framework to guide compliance 

Central tenets of the Protect Duty are the need to differentiate between types of publicly accessible locations and create guidelines that do not produce unnecessary costs or burdens on staff resources or time. Tailoring requirements within a segregated framework, as opposed to a ‘one size fits all’ alternative, it is hoped, will help promote and ensure stakeholder compliance.

Initial proposals within the Protect Duty consultation suggest a delineation between three main areas:

  • Public venues with a capacity of 100 persons or more (e.g., tourist attractions and theatres).
  • Large organizations that operate at publicly accessible locations and employ 250 staff or more (e.g., retail and entertainment chains).
  • Public spaces (e.g., beaches, thoroughfares, bridges, and pedestrianized areas).

Regardless of whether the Protect Duty legislation contains a framework that is segmented in this way, it could and arguably should serve as a model for other nations that have faced similar terror threats in recent years. Especially those that have experienced threats and attacks across a range of venues and spaces.


Engineering stakeholder collaboration 

Compounding the complexity of producing stringent risk assessments for large public venues and spaces is determining who the stakeholders are and allocating appropriate responsibility or remit for security.

Principally, the subjects of a Protect Duty would be landowners, occupiers, and tenants. However, complexities arise around degrees of responsibility where different leaseholders occupy separate venues such as shops, bars, and stalls. These complexities can be handled if overall responsibility for security is subcontracted to a supplier, but even this raises further questions as to whether security subcontractors and suppliers are then subjected to Protect Duty.

As identified in the Protect Duty consultation, the answer to this complicated mix is that if multiple stakeholders operate at a given venue, all are responsible for the safety and security of employees and visitors within that venue’s perimeter.

By promoting stakeholder collaboration against a backdrop of enforceable legislation, U.S. parties can also begin working together by committee, ensuring all official advice and recommendation is shared and understood, and security protocols are successfully implemented and adhered to. 


Employee training and empowerment 

A lack of understanding of the terror threat among Manchester Arena security staff and the failure to respond to the reports of the attacker’s behavior as suspicious were highlighted in the subsequent report as being critical factors enabling the attack. 

Inadequate attention paid to the threat level, exacerbated by the long period within which the threat level remained at ‘severe’, was thought to have contributed to an attitude of complacency among the Arena’s security teams. As the events of that night proved, ‘severe’ was the correct threat level, but more emphasis should have been placed on this categorization where it is set and operational procedures altered accordingly. 

For U.K. and U.S. teams alike, vigilance must be maintained at all times, and this is where training becomes imperative. Action Counters Terrorism (ACT) - a national awareness scheme to protect buildings, business areas and their surrounding vicinities from the threat of terrorism – provides free training, which is compiled and delivered by NaCTSO. SIA can also offer support where more targeted training is necessary. 

However, it must be understood that e-learning courses alone are not sufficient even if deemed to be high quality. Practical’ prevent and respond’ training, including first aid training, must be a regular feature within the schedules of security personnel. 


Review and enforcement

It is not enough for risk assessments to be compiled in-house without external review on matters as grave as terror attack prevention. They must be underpinned by a kitemark of approval to indicate a quality benchmark, include consistent criteria, and be appropriately differentiated depending on the size and type of venue to which they apply. 

Review processes must also be robust and be undertaken at regular intervals to accommodate changes in the threat landscape and new technologies that can be used to mitigate that threat.

A lack of active enforcement, due partly to insufficient resources, resulted in breaches at the Manchester Arena that were not identified. In the future, and as recognized in the Protect Duty consultation, Counter-Terrorism agencies, security agencies, licensing officers, and the police should collaborate more comprehensively. 

Both planned and unplanned venue inspections should be carried out with site visits tailored to accommodate licensing checks and an understanding among all parties that enforcement consequences are as severe as breaches of Health & Safety legislation. 


The American question

Though it remains unknown what Protect Duty will look like once finalized in the U.K., the consultation contains compelling suggestions that all countries, including the U.S., could benefit from. 

However, each country will face its own challenges to implementation. 

In the U.S., it is interesting to understand who would be responsible for each part of the duty. This was a concern raised by Stuart Taylor, CEO of Stucan Solutions Corporation, a security firm based in Virginia, who said:

“The question is whether the U.S. Government and Law Enforcement agencies will support and implement a program like the Protect Duty with the debate inevitably centering on who will pay.  

“Insurance and tax rebate incentives may soften the blow, but there would likely be push back regarding jurisdiction as individual States don’t appreciate Federal mandates, and the U.S. is so polarised politically, red and blue State agreement would be difficult to engineer.”  

As within the U.K., the U.S. would also have to navigate the costs associated with introducing some of these additional policies should the Protect Duty be launched over the pond. Observing how the U.K. divides these costs and shares the responsibility of the duty between stakeholders, leaseholders, venue owners and security teams will be crucial.

The inquiry report into the Manchester terror attack in 2017 is a troubling recall of some of the many security failings that could have prevented such regrettable loss of life. The proposed ‘Protect Duty’ law is a step in the right direction to formalize preparedness for these potentialities, and the U.K. rollout of the duty will be a strong blueprint for the U.S. to follow. 

Considering the strategic planning of security procedures, formalizing training expectations, and ensuring stakeholder collaboration are all processes that the duty will consider and as discussed by Taylor, “… all businesses, schools, and venues have a duty of care to their employees and guests to implement a scalable form of the Protect Duty,” and the U.S. should be placing a close eye on how the duty is rolled out in the U.K., to ensure that they are as prepared as possible, should a similar ruling be introduced in the near future.