Under the new Protect Duty, it’s likely leisure and hospitality businesses will need to carry out regular risk assessments specifically focusing on terror and security threats to the public.
These will require businesses to consider the threat from each type of attack method, including:
- Marauding knife attack
- Marauding gun attack
- Improvised explosive device
- Vehicle used as a weapon
- Lone assailant or armed group
- Local and targeted or large-scale mass casualties
Organisations may also need to assess the vulnerabilities and weak points in their business properties' security and current security procedures, considering what actions would be taken if the threat level went up in their area. For each risk, the assessment should analyse and evaluate the potential impact and identify mitigations to reduce the threat.
Will businesses need more physical security?
Although still in consultation, any additional physical security measures required under the Protect Duty will depend on the size and scale of your operation. Many large organisations will already have security integrated into their buildings, while smaller businesses will only need to take proportionate and reasonable measures such as shutters and locks.
Medium-sized businesses that haven’t had a strong security focus before will likely need to do more to meet the Protect Duty. It may be worth these companies getting external advice from security professionals on what to install.
The steps any business takes should be targeted at disrupting assailants before they can act and minimising losses if they do attack. Specifically, the measures an organisation puts in place should aim to:
- Deter – for example, using fences, lights and signage, or security guards to show your business is not a soft target and to deter potential assailants
- Detect – consider training your staff to spot suspicious behaviour and consider installing CCTV and alarms to detect intruders
- Delay – additional physical measures such as fencing, vehicle barriers, roller shutters and security doors can give you vital extra minutes that could save lives in the event of a terror attack
- Mitigate – take measures such as applying anti-blast film to windows, to can minimise the damage if an attack happens
- Respond – make sure you have tried and tested incident response and crisis management plans ready for action, including first aid and links to emergency services
Creating a culture of security
Having a well-developed security culture in your organisation will go a long way towards meeting the Protect Duty. This could comprise:
- Training for staff, making sure the people responsible for responding to a terror incident have the right capabilities
- Having action cards, reminding people what they need to do and when
- Promoting internal security forums or WhatsApp groups, so best practice is better understood and socialised
- Being discreet in your external communications, so you don’t give away information potentially useful to terrorists
- Carrying out regular drills and crisis management exercises to test each element of your plans and ensure individuals’ roles and responsibilities are understood.
Key steps to help you prepare for the Protect Duty
Understand the threats
Leisure and hospitality organisations should develop an understanding of UK threat levels and the changing terror landscape. Counter Terrorism Security Advisors (CTSAs) are available to help build this awareness. They can also provide security advice for protecting people in crowded spaces and suggest practical improvements. Find out who the CTSA is for your area and get to know them.
Use tools and resources
There are lots of useful tools and information publicly available from organisations such as the Centre for the Protection of National Infrastructure (CPNI) and the National Counter Terrorism Security Office (NACTSO). These can help you assess whether you are doing enough to secure your spaces and what you need to improve.
Educate your employees
Start building awareness amongst your employees of the different threats and how they can help prevent them. Consider accessing See, Check and Notify (SCaN) training, which is free of charge to businesses for your employees.
Adapt your existing procedures
Look at what you are already doing and how you can deploy it to address terror threats specifically. For example, could you build on your health and safety and fire safety procedures? The chances are much of this activity can be mapped across to meet the new Protect Duty. Look at the risk assessments you already perform and see how you could adapt them into a template for your Protect Duty assessments.
Take steps to improve security now
Don’t delay. If you know there are things you could do to improve the safety and security of the public, do them now. It’s good for business and will help build resilience as your organisation prepares to meet its new obligations when the Protect Duty is made law.
Build it into the design
If you are moving or building new premises, think about how you can build security in from the start. For example, you could integrate surveillance systems into the design, reduce visibility from outside, control access points – anything to make it harder for assailants to attack.
Building a robust crisis management plan
The Protect Duty will require larger organisations to have a well-established crisis management plan. This consists of three phases:
- Response – This is the immediate ‘blue light’ phase, when your focus is entirely on how to protect people and limit damage. As well as enacting your own first aid and security response, you will need to work with counter-terrorism police, who may take over control of the site. Make sure you have good communications with the local Bronze Command if possible.
- Crisis management – This is the immediate aftermath of the incident, when you need to restore control in your organisation. Focus on managing the media, reassuring staff, customers and stakeholders.
- Recovery – This is about the weeks after the incident, when you need to get back on your feet. Focus on restoring normality, as far as possible, for your employees and customers.
Key things to consider when designing your plan:
- Does it have a clear purpose? Is it a generic plan or specifically designed for terror threats?
- How is it triggered? What are the activation and escalation criteria? What procedures kick in when and who needs to act and how?
- Is there a clear response structure? Are there defined roles and responsibilities from leadership to operations teams?
- Does it cover communications? The plan should define which communications are allowed in and out during an incident and link up with the communications team to manage relations with key stakeholders such as media, customers and insurers.
- How does it deliver business continuity? Does it define priority activities and recovery strategies to keep you trading?
- How do you close the incident? The plan should include provision for debriefs, lessons learnt, monitoring and review.
It may be useful to distil the plan into a quick reference guide that staff can keep handy and refer to.
Once you have put your crisis management plan together, it’s important to test it. You should carry out an exercise at least once a year. The type of exercise will depend on the type and size of your organisation:
- Walk through discussion: This might be appropriate for smaller businesses without the resources for a full-scale rehearsal.
- Scenario-based approach: Staff work through scenarios at desktop level, but there is no live rehearsal. This may be suited to medium-sized businesses.
- Simulation based exercise: A full-scale exercise with real-life media and people posing as emergency services. This is for only for the largest organisations as it’s inherently risky and needs to be planned well.
Other steps businesses can take to embed security, protect the public and foster resilience in the long term include:
- Integrating the Protect Duty into to your risk management process- make sure that terrorism is included in your risk register and it prioritises resilience to terror threats
- Developing stronger links with other groups and organisations, such as community safety partnerships, local multi-agency resilience forums and intelligence sharing networks
- Registering with the Cross-sector Safety and Security Communications group to receive regular security updates relevant to your business
How can Willis Towers Watson help?
- Threat Awareness Brief – This brief will translate the UK terrorism threat environment specifically to your business, leveraging the expertise of our consultants to competently assess the risk. You will receive practical recommendations to enhance your organisation’s security culture, awareness and physical protective measures
- Security Vulnerability Assessment – This assessment will assess the physical, technical and procedural security measures currently in place at your asset(s) and align these, through remedial recommendations, to Protect Duty requirements (TBC). This assessment will be carried out by our specialist security consultants
- Risk Consulting – Our Risk Consulting Practice includes highly experienced crisis management and business continuity experts able to support you across of range of crisis preparation measures such as risk assessment, plan writing, crisis and response training, scenario-based exercises and related management systems
For help implementing the right leisure and hospitality risk management and insurance strategy approach for your business, please get in touch.