Skip to main content
Volume 1: Security for the Arena
Volume 1: Security for the Arena (large format)

Risk assessment

Key findings


  • At the time of the Attack, SMG had in place a general written risk assessment covering its activities. It was inadequate: it failed to adopt a rigorous approach to the assessment of the risk of a terrorist attack and did not identify what steps should be taken to reduce that risk. In any event, it did not form part of SMG’s planning or procedures at the time of the Ariana Grande concert.
  • SMG prepared a specific risk assessment for the Ariana Grande concert. It was inadequate: it did not identify the threat from terrorism as a potential hazard and had descended into a box ticking exercise.
  • SMG’s approach to risk assessment as it related to terrorism was inadequate. Had SMG put in place an effective risk assessment process at the Arena it would have identified deficiencies in the security arrangements including: the approach to CCTV; moving the security perimeter; the importance of patrolling in the City Room during events by Showsec; and, the breakdown in communication between SMG and Showsec in relation to the pre-egress check.


  • Showsec had in place a general written risk assessment in relation to the threat from terrorism to its employees. It was not an adequate document.
  • Showsec staff failed to notice the obvious and significant errors in the general written risk assessment in relation to the threat from terrorism to its employees.
  • Showsec did not have a general written risk assessment in relation to the threat from terrorism in relation to event-goers or other members of the public who might be affected by Showsec’s role in providing crowd management and security services. That was a substantial and serious omission on Showsec’s part.
  • Showsec did consider the risk of a terrorist attack and what steps it should take to mitigate it in the document entitled “Counter-terrorism Awareness 2017; Manchester Arena”. This document failed to identify the use of patrols as a mitigation measure against PBIEDs in the City Room. It should have done.
  • Showsec did not conduct a risk assessment which considered the threat from terrorism specific to the Ariana Grande concert. Showsec should have done.

SMG and Showsec

  • SMG and Showsec should each have taken into account the steps being taken by the other when conducting risk assessments. The necessary level of communication, coordination and co-operation was not achieved
  • SMG and Showsec needed to know what BTP was or was not going to do at each and every event by way of deployment. That did not occur.

Risk assessment: threat from terrorism

As set out in Part 3, both SMG and Showsec were under a legal obligation to conduct suitable and sufficient risk assessments in relation to their employees. They were also under a legal obligation to conduct suitable and sufficient risk assessments in relation to those who might be affected by their activities: in SMG’s case, its activity as the Arena operator; in Showsec’s case, as the provider of crowd management and security services at an event. A number of documents were provided to the Inquiry relevant to these obligations. I shall consider each of them and the evidence I have heard about them.

Before doing so, the importance of an effective risk assessment process needs to be underlined. Such a process has three important stages to it. The first is to identify and assess the hazards to the groups of people to whom a responsibility is owed. The second is to determine how likely it is that someone could be harmed and how seriously. The third is to take action to eliminate the hazard, or if this is not possible, control the risk. These are commonly known as control measures.

It is necessary to say something more about the two parts of the second stage in relation to the threat from terrorism: likelihood and severity. Given the purpose of a terrorist attack will invariably be to cause maximum harm, the severity of the risk for it will always be of the highest order. There will be few risks which will have the potential to cause as much harm as those from a terrorist attack.

When it comes to likelihood and the weighting given to it, it is important that considerable care is taken. Fortunately, terrorist attacks are relatively infrequent. However, any successful attack will have catastrophic results. The events of 22nd May 2017 demonstrate so devastatingly that they must be prevented. Because the statistical probability of a terrorist attack in any one place at any time may be very low, there is a risk of a mindset developing that “it won’t happen here”. Such an approach is wrong, particularly in the context of a risk assessment process. It is obviously so, when even a little thought is given to the potential consequences of this approach.

The emphasis at the second stage should be on severity. The possible consequences of a terrorist attack are catastrophic. For this reason, they have to be given far more weight in a risk assessment than the likelihood of an attack on a particular site at any particular moment in time.

In 2017, there were three other factors which were highly relevant to the risk assessment process and which should have been factored into it by both SMG and Showsec.

First, SMG knew that the Arena had been identified by counter-terrorism police as a Tier 2 site following the NaCTSO assessment in 2014.322 The very placing of the Arena into this category should have made clear to SMG that it was an attractive target to terrorists. In Showsec’s case, while its employees were not invited to the meeting with the CTSA, its own risk assessment acknowledged SMG’s engagement with Ken Upham. That risk assessment should have taken proper account of the CTSA process.

Second, the national level for the threat from international terrorism, set by the Joint Terrorism Analysis Centre (JTAC), was “Severe”. This meant that “an attack is highly likely.” Proper account should have been taken of this fact. The risk assessment process should have accommodated the national threat level. It might have done this by setting out different levels of response based on the different threat levels. Alternatively and preferably, the assessment process should have required a complete review of the control measures when the threat level changed. This would increase the possibility that proper regard would be given to any new information which had emerged that justified the national threat level change.

Third, regular reviews of the risk assessment were essential.323 In May 2017, the national threat level had been at Severe since 29th August 2014.324 However, since that time, the nature of the threat had been evolving. The terrorist attacks in 2015, in particular, gave notice of the very real threat of a PBIED. The risk assessment process should have recognised expressly the need for a constant refreshing of the thinking behind its content. This should have involved a regular, scheduled review of all of the content and material underpinning it. It should also have allowed for an unscheduled review if events warranted it.

The above represents the minimum that a terrorism risk assessment should have included. I turn now to consider what the documentation submitted to the Inquiry, in fact, revealed.


Operational Procedures; Emergency and Contingency Plans document

At the time of the Attack, SMG’s general written risk assessments were contained within a document entitled “Operational Procedures; Emergency and Contingency Plans” (the Operational Procedures document).325 Although the copy the Inquiry received is marked as revised on 25th May 2017,326 it was confirmed by SMG this was the date the document was printed.327 This document had not been superseded or withdrawn prior to the Attack.328

Within the Operational Procedures document are a number of risk assessments which are relevant to the threat from terrorism. The evidence did not reveal who the author of the risk assessments was, although they were added into the document by James Allen.329 James Allen, Miriam Stone and a number of other senior people within SMG are indicated as being on the circulation list for the document. Also on the circulation list were GMP, BTP and Showsec.330

At the start of the document the scoring of the assessments is described as “using a standard severity x likelihood table”. The ranges for the total are listed: a total score of 0 to 5 is said to be an “acceptable risk”; a total score of 5 to 10 is said to be “low risk”; a total score of 10 to 15 is said to be “medium risk”; and, a total score of 16+ is said to be “high risk”. The document states that “Emergency contingency plans have been enclosed for situations that have scored a rating of five or above as incidents below this score will offer negligible risk.” 331 The document does not explain how exactly a user is expected to apply the total score in any practical way.

Within the subsequent risk assessments are three which I regard as most relevant to events on 22nd May 2017: “Bomb Detonation”;332 “Explosions”;333 and, “First Aid Injuries: Multiple and Major Injuries caused by Explosions”.334

The first of these falls in a list of hazards under the heading “Acts of Terrorism within the Venue”; the second falls in a list of hazards under the heading “Incidents outside the Venue”; and the third under “Medical Incidents”. Each of these have been completed against five different “profiles”: three types of event ranging from “low risk” to “high risk”, “load in / load out” and “Non event mode”. Each of the profiles has three columns completed with a number: “severity”, likelihood” and “total”.

The “Bomb Detonation” risk assessment appears in Figure 11. It provided total scores which ranged between “5” and “15”, depending on whether the event profile was said to be “low risk”, “medium risk” or “high risk”. The event profile risk was determined by the national threat level and how “contentious” the artist or event was. Miriam Stone stated that, given the national threat level, all events at the Arena at the time of the Attack were high risk.335 Within the terms of the document’s approach to scoring, a total score of “5” was at the top of the “acceptable risk” and the bottom of the “low risk” category. A total score of “15” was at the top of the “medium risk” category.336

LOW Low national/regional threat level (as advised by GMP/BTP)
Non contentious artist/event content
Limited press/media interest
MEDIUM Medium threat level
Major press/media interest in event/artist
HIGH High threat level
Contentious artist/event
Hazard Risk Profile Severity Likelihood Total
Bomb Detonation Causing multiple deaths Event – low risk 5 1 5
Event – med risk 5 2 10
Event – high risk 5 3 15
Load in / Load out 5 1 5
Non event mode 5 1 5

Figure 11: SMG ‘s “Bomb Detonation” risk assessment337

The most relevant risk assessment by reference to what occurred on 22nd May 2017 was “Explosions”. This appears at Figure 12. Whether an event profile was “low”, “medium” or “high” was determined, according to the document, by the effect on the venue. The person who completed the form assessed the severity for all of the profiles in the “Explosions” scenario as being “5” out of a possible 5; with the likelihood for all of the profiles as being “2” out of a possible 5. This produced a total score for each of the profiles, regardless of whether the event profile was low, medium or high risk, of “10”. According to the explanation of the scoring, this total score equates to the top of the “low risk” category or the bottom of the “medium risk” category.

LOW Nothing happening to affect the venue
MEDIUM A single incident which affects the venue
HIGH More than one incident affecting the venue
Hazard Risk Profile Severity Likelihood Total
Incidents outside the venue – continued
Explosions Detonation of improvised explosive device Event – low risk 5 2 10
Event – med risk 5 2 10
Event – high risk 5 2 10
Load in / Load out 5 2 10
Non event mode 5 2 10

Figure 12: SMG’s “Explosions” risk assessment338

Also relevant was the risk assessment for “First Aid Injuries: Multiple and Major Injuries caused by Explosions”.339 This appears in Figure 13. This risk assessment took the same approach to the scoring for events as “Explosions”, giving a total of “10” for all event risk profiles. For this risk assessment, whether or not an event profile was “low”, “medium” or “high” risk was determined by the number of attendees, whether those attendees were likely to cause trouble and whether there was any “historical data”.

LOW Attendance of 5,000 or less. Seated floor.
Family or mature adult audience profile
Good historical data with less than 1% accident rate
MEDIUM Attendance of 5,000 – 10,000
Standing floor with limited movement
Young adults in mixed sex groups
Good data with 1 – 2% accident rate
HIGH Attendance of 10,000 or above
Standing floor with extensive crowd movement
Teen, over 50+ years or rival fraction audience
No historical data
Hazard Risk Profile Severity Likelihood Total
Caused by Explosions Event – low risk 5 2 10
Event – med risk 5 2 10
Event – high risk 5 2 10
Load in / Load out 5 2 10
Non event mode 5 1 5

Figure 13: SMG’s “First Aid Injuries: Multiple and Major Injuries caused by Explosions” risk assessment340

Another part of the Operational Procedures document contains a section devoted to control measures.341 None of those listed are focused on preventing a terrorist attack. It also contains a section headed “Bomb and Terrorist Threats”.342 This section does not list any control measures relevant to mitigating the risk of a terrorist attack. Nor does it mention PBIEDs. The only way in which its content is relevant to what occurred on 22nd May 2017 is in relation to actions after a detonation had taken place. To the extent other parts are relevant to 22nd May 2017 they, too, are relevant to the response to an attack, not preventing it.

Overall, the Operational Procedures document fails to adopt a rigorous approach to the assessment of the risk of a terrorist attack. It is entirely deficient in relation to the key question which automatically arises once the extent of any risk is identified, namely what steps should be taken to reduce it? James Allen agreed that the approach within these important risk assessments was not “particularly rational”343. He agreed that giving the same overall risk score to scenarios in which the risk was different was “nonsense”.344 Overall, the thrust of his evidence was to accept that these risk assessments were inadequate.345 Miriam Stone accepted they were inadequate.346 They were both right to do so.

In the event, the inadequacy of the risk assessments within this document made no difference. This is because neither of the key SMG employees, James Allen and Miriam Stone, used them in practice.347

Manchester Arena Security Risk Analysis document

SMG prepared a document entitled “Manchester Arena Security Risk Analysis” (the Security Risk Analysis document). Although not explored during the oral evidence, SMG disclosed this document to the Inquiry before the oral evidence hearings began. The date on the face of it is after the Attack. However, the Solicitor to the Inquiry was informed by SMG in correspondence that it predated 22nd May 2017 and that the date appearing on the first page indicated the day on which it was printed after the Attack. The document itself refers to the JTAC threat level as being ‘severe’.

In SMG’s Opening Statement it was accepted that there were “shortcomings” with this document. SMG went on to concede, about both the Security Risk Analysis document and the Operational Procedures document, “We also accept that they were not being reviewed with the appropriate frequency at the time of the Attack. In fact, neither of these documents was being used as part of the day to day process of terrorism risk assessment at the Arena in the period running up to the Attack.”348

The Security Risk Analysis document included an assessment of the risk of “Terrorist Threats outside Manchester Arena” which were “[i]n close vicinity which could affect the building directly or prevent an event taking place.” Of this particular threat, the document goes on to state in the notes to this assessment: “This is potential high due to the fact we are a city centre building within a major interchange railway station. WORLD RENOUNED venue operated by US Company and many American acts.”349

This risk assessment goes on to conduct an initial likelihood-times-severity score, with the likelihood score initially equivalent to “medium”. The likelihood score is reduced to “low” following the identification of certain controls measures, including “police intelligence” and “good site wide CCTV”.

A number of risk assessments in relation to scenarios within the Arena are subsequently set out.

The document continues by stating, under the heading “Major Risks”, that “[t]he above risk assessment has identified 3 major areas of concern that despite the risk reduction in place it is difficult to fully bring these down to an acceptable level without restricting our business flexibility.” Of those three major areas of concern one is said to be “The location of the Arena within a railway interchange of a major European city with little control on what takes place outside and around the building.”350

The Security Risk Analysis document concludes with three appendices. The first of these includes a number of the elements of the Operational Procedures document I have identified. The two further appendices relate to SMG and Showsec’s recruitment of staff.351

It was a significant failing that SMG did not have regard to the content of the Security Risk Analysis document as part of the process of risk assessment in the period prior to the Attack. The concession that there are “shortcomings” with it was appropriately given. However, in my view, the threat of an attack in close vicinity to the Arena building, which could affect it, included the scenario of an IED in the City Room. This threat was stated to be a “potential high” risk. The document identified that the reasons for this risk level were the Arena’s iconic status, the fact it formed part of a transport hub, its American ownership and the fact that “many American acts” performed there. Ariana Grande is an American act. An event specific risk assessment, undertaken with this part of the Security Risk Analysis in mind, would have led to a recognition that the areas immediately outside the concert on 22nd May 2017 may be a particularly attractive target for a terrorist, as in fact was the case.

The document recognised that one of three challenges to bringing the risk down to “an acceptable level” was the lack of control over access by members of the public to the areas outside and around the Arena. This challenge is precisely why pushing out the security perimeter would have brought greater protection to event-goers. The recognition of this challenge should have driven attempts to move the security perimeter beyond the City Room. SMG should have been doing all it could to bring this risk down below an acceptable level.

Alternatively, in the absence of achieving a security perimeter which protected the areas immediately outside the Arena, such as the City Room, the recognition of this particular challenge should have caused SMG to consider more closely what other mitigation measures could have been put in place. The CCTV system in areas of particular risk, such as the City Room, should have been scrutinised with this particular challenge in mind. Security patrolling, as a further means of identifying those who may be using the public right of access as a cover for their malign intent, should have received more attention.

As it was, the Security Risk Analysis document did not form part of SMG’s day to day process of risk assessment in the period prior to the Attack. Consequently, the important parts of this document identified above, which were capable of making a difference to the events of 22nd May 2017 had they been acted upon in the way I have described, did not receive the attention from SMG they should have.

Ariana Grande concert: event-specific risk assessment

SMG prepared a document entitled “Manchester Arena – Event Risk Assessment specific to the Ariana Grande concert”.352 This involved the completion of a pro forma risk assessment with event-specific information. This was a standard document produced by SMG for each event.353

At no point in this document is the threat from terrorism identified as a potential hazard.354 James Allen and Miriam Stone both accepted it should have been.355 Miriam Stone went further and candidly accepted that the event-specific written risk assessment process had descended into a box ticking exercise.356 She also accepted that the system SMG had in place for risk assessment was less than ideal.357

Sharing of risk assessments with Showsec

Showsec’s Service Delivery Management document envisaged that SMG would provide its risk assessments to Showsec.358 Showsec Regional Manager, Thomas Bailey, had no recollection of having received either a risk assessment or any method statements from SMG.359 Neither had Thomas Rigby, the Showsec Head of Security at the Arena on 22nd May 2017.360

Mark Harding stated that the arrangement between SMG and Showsec envisaged an exchange of information between the two organisations from the risk assessments. He stated that it would have been prudent for each to have a copy of the others’.361

Although the event-specific risk assessment was used by SMG as the basis to calculate the number of Showsec staff required,362 it was not a document that Thomas Bailey had ever seen.363

Effect of SMG’s approach to written risk assessments

Both James Allen and Miriam Stone asserted that despite the accepted deficiencies in the written risk assessment process, SMG did adequately take into account the threat from terrorism in its operation.364 I do not accept that. A more rigorous approach would have compelled greater thought by SMG. This should have led to a realisation that something needed to be done about the risk of attack in the City Room. A more rigorous approach would have prompted closer examination of Showsec’s documents.

The importance of the failings I have identified in SMG’s operation, such as the approach to CCTV and the lack of any proper investigation into the possibility of moving the perimeter, would have been revealed by an effective risk assessment process. That is the purpose of such an assessment. It would also have led to the identification of the importance of patrolling the City Room and the mezzanine area by Showsec. This may well have led to the discovery of the breakdown in communication between SMG and Showsec about the extent and function of the pre-egress check. I shall return to the pre-egress check in greater detail later in Part 6.

Overall, SMG’s approach to risk assessment as it related to terrorism was inadequate. I agree with Miriam Stone that SMG should have sought help.365 I agree with Dr BaMaung that the absence of such help was a “key weakness” of SMG’s approach.366 SMG’s approach to counter-terrorism risk assessment would have substantially benefited from the expert input of the kind I addressed in Part 5.


Written risk assessment: counter-terrorism

Showsec had a number of risk assessments in spreadsheet form. These included a section focused on the threat from terrorism. The risk assessment spreadsheet was dated 9th January 2017. The risk assessments contained within the spreadsheet were not event-specific.367 The template was created by Sharon Pates, Showsec’s health and safety officer.368 2017 was the first time it was used.369 It was completed by Thomas Rigby.370 Thomas Rigby had undertaken a health and safety risk assessment course in 2011, although that did not involve any training in relation to counter-terrorism.371 The spreadsheet was marked for review on 9th January 2018.372

Upon completion of the spreadsheet on 18th January 2017, Thomas Rigby emailed it to Sharon Pates and Thomas Bailey for “thoughts and changes”. In the body of his email, Thomas Rigby raised his concern that it didn’t “look extensive enough to be correct.” On 24th January 2017, Sharon Pates replied to Thomas Rigby “All good Tom”.373 Thomas Bailey did not propose any alterations to it.374

The completed spreadsheet is marked as being circulated to Miriam Stone and James Allen at SMG and Thomas Bailey, Alan Wallace and Sharon Pates at Showsec. James Allen accepted he had seen this document.375 Miriam Stone stated she was unable to find any record that she had received this document.376 I find that she did not see a copy of it prior to the Attack.

The risk assessment spreadsheet comprised two parts.377 The front sheet of the spreadsheet contained the summary, incorporating the outcome of a number of risk assessments across Showsec’s activities.378 The second part comprised further sheets which contained risk assessments for the different categories summarised in the front sheet. This included a risk assessment which corresponded to counter-terrorism entry on the front sheet.379 That risk assessment is four pages in length and identifies seven hazards.

The counter-terrorism risk assessment provides for scores to be given to each of the hazards under the headings “Severity”, “Likelihood” and “Population”. A person completing this assessment was expected to input a value in relation to each of these fields for each of the hazards. The document then required a reassessment of these headings in light of additional control measures.380 Once the fields were completed, the form calculated an average score taken across each of the hazards.381 The average score was then automatically carried across into an overall risk rating for terrorism on the summary page.382

As a result of the way the form was completed prior to 22nd May 2017, the overall risk rating for the terrorism risk was indicated in the summary sheet to be a score of 12. According to the summary sheet, a score of 12 corresponds to an overall risk rating of “Low”. The form also records that the “Threat Level” was “Low”.383 This is despite the fact that the national threat level was “Severe” at the time the assessment was completed. Thomas Bailey described this as being “a typo”.384 Thomas Rigby accepted that the document contained an inappropriately low assessment of the risk of terrorism.

The failure of Thomas Bailey, Sharon Pates, from whom I have not heard but to whom I gave an opportunity to respond to this criticism, and James Allen to notice such an obvious and significant error reveals a lack of care and attention on their parts towards their duty to identify and take steps to mitigate the risk of a terrorist attack. On the SMG side, James Allen accepted, and I agree, that he “should have taken more notice” of this document.385

The aggregating of all risk assessments across all hazards to create an average is obviously problematic. This is so because the very low risk of particularly unlikely forms of attack could result in artificially depressing the final overall number. This might have the effect of concealing the significance of a threat from the most likely form of attack.386 As a result of the approach that was taken, the assessment of the risk of a terrorist attack was inappropriately low in this document.387 As a matter of common sense and, as should have been obvious to Showsec, the most likely form(s) of attack should have been used to drive the overall assessment of risk.

There are three further and significant problems with this document.

First, Thomas Bailey and Thomas Rigby asserted that it was an assessment focused on Showsec employees.388 This was consistent with the position adopted on Showsec’s behalf in the opening statement.389 It was consistent with the other risk assessments which formed part of the overall document. The Showsec Operational Plan 2017 refers to a risk assessment for Showsec staff in relation to events.390 The summary page of the risk assessment document refers to reading it “in conjunction with the Operating Plan”. It seems likely that this document was created as a supporting document to the Operational Plan 2017, which indicates it is focused on employees.

However, the counter-terrorism risk assessment identifies members of the public as a category of persons who may be at risk in relation to a number of hazards.391 The inclusion of people beyond those employed by Showsec as people at risk suggests that some thought had been given to members of the public, although not in anything like a rigorous way given where it has been included. The lack of clarity around who this document was intended to benefit is unsatisfactory and indicates a lack of proper thought.

Thomas Bailey confirmed that there was no other equivalent document for event-goers.392 He stated that Showsec relied upon SMG to conduct such a risk assessment, although he never saw any such document.393 I find that this was a substantial and serious omission on Showsec’s part. Showsec was under an obligation to conduct a risk assessment in relation to event-goers. It was mandatory for Showsec to carry out, in writing, a suitable and sufficient assessment of the risk from terrorist attack. Although Showsec failed to conduct a suitable and sufficient written risk assessment of this sort, I accept that there was some, albeit inadequate, consideration by Showsec of the threat of terrorism to event-goers, which I will consider further below.394

Second, the attack methodology of PBIED is not listed as one of the hazards in the ’employee risk assessment’, although some other attack methodologies are. Given that PBIED was a well-known attack methodology in 2017,395 I find that this omission reveals a substantial lack of care and attention on the part of Thomas Rigby. This omission was not identified by anyone else within Showsec in the period from January 2017 until the Attack. That fact reveals a worrying lack of oversight at a senior level within Showsec in relation to what should have been treated as a very important part of its operation.

There is a third problem with this document. At the top of the second part of it, two questions are posed: “Has the vulnerability risk assessment been completed by CTSA?” and “Has the CTSA recommendations been actioned?”.396 Both of these questions are answered on the form as “Y”. In fact, Showsec was never provided with any written information from the CTSA process. As a result, Showsec was not provided with any detail in writing in relation to what recommendations had been made and relied upon an oral report from SMG which was limited and omitted key information.397

Thomas Bailey accepted that the answer to the second question was not based on any information provided by SMG.398 I regard this as being unsatisfactory and unacceptable. If Showsec wished to take into account the outcome of the CTSA process when assessing the risk to its own employees, which would have been appropriate, a request for the underlying documentation and/or involvement in the CTSA process should have been made. Answering an important question on an important document, such as a risk assessment, on the basis of what was, at best, an assumption reveals a lack of proper and appropriate thought being given to ensuring adequate steps were taken to protect people from the threat of terrorism.

Overall this document, as it related to the threat from terrorism, was inadequate. I accept that assessing the risk of a terrorist attack is a challenging process which may require an adjustment to the approach which is taken in relation to other risks to health and safety. I also accept that there was not readily accessible, free guidance on how such risk assessments may be satisfactorily completed. However, the nature and gravity of the errors in this document and Showsec’s approach to the risk assessment process generally lead me to conclude that insufficient regard was given to the threat from terrorism by Showsec as an organisation. Showsec’s staff should have realised the limitations of their own competence and, if they felt that there was insufficient freely available information, they should have made a concerted effort to obtain expert input.

Counter Terrorism Awareness 2017; Manchester Arena document

Thomas Bailey reviewed and signed off “Counter Terrorism Awareness 2017; Manchester Arena”, a document dated 6 January 2017.399 Thomas Rigby is recorded as the primary contact for this document. He was involved in its creation.400 It was sent to key Showsec personnel and to Miriam Stone and James Allen of SMG.401

Although not expressly labelled as a risk assessment, parts of the document do support a risk assessment process. Thomas Rigby said that it was intended to support the risk assessment process.402 It does so by identifying the measures which are being deployed to control the threat from terrorism. It was asserted on Showsec’s behalf that this document “set out how Showsec delivered on its limited counter-terrorism obligations”.403

Under the heading “Security Planning” the document addresses the number of personnel required to ensure the safety of the public. It states: “Consideration of Risk assessment, audience profile, Artist Risk assessment, Capacity/Sales will determine the safe requirement”.404 It does not mention the national threat level. Thomas Bailey stated these were the factors “on SMG side” for allocating the number of Showsec staff to an event. He stated this was determined by SMG’s risk assessment which he never saw.405 As set out above, SMG’s event risk assessment did not include any consideration of the threat from terrorism. Thomas Bailey accepted that confusion may have entered the process in relation to the risk of terrorism and the risk the audience posed to itself.406 This was undoubtedly the case. The thinking around risk was focused on the trouble an audience might cause. It did not consider in any satisfactory or rigorous way what the risk to the audience might be from those who may wish to do them harm.

The document deals at an early stage in general terms with the “Physical Security” which Showsec put in place to mitigate the threat from terrorism.407 As part of this section, the document identifies, correctly in my view, that one important measure to mitigate this threat is patrolling.

I recognise that it would be inefficient and undesirable for a patrol to focus only on counter-terrorism. Such an approach may result in other suspicious behaviour, such as a person showing an unlawful interest in children, being overlooked. Consequently, it seems to me that it would be potentially misleading to refer to patrolling of the type I am describing as a counter-terrorism patrol. I think it is better described as a ‘security patrol’. Such a patrol should include a counter-terrorism element, but will include active and conscious vigilance for all suspicious behaviour. I shall deal in further detail with patrolling as a counter-terrorism mitigation measure later in Part 6.

The patrolling section of the document includes: “As well as designated patrols each steward is responsible for their immediate working area, the total of which will cover the entire working area of the event/venue. Supervisors will undertake regular patrols of their sectors as further observatory patrols.” It also refers to the SMG patrols on non-event days and states “during events these patrols are undertaken by Showsec Security staff.”

Given the way in which it is framed within the document, I find the natural meaning of this passage includes the City Room. First, because the SMG patrols included the City Room and the use of the word “these” can only mean in this context that Showsec was indicating it will undertake the patrols which replicated the SMG patrols. Second, because the City Room falls within the area encompassed by the supervisors’ “sectors”, in relation to which it is said there will be regular, observatory patrols. Third, because this part is dealing with “the entire working area of the event/venue” which includes the City Room.

This interpretation is consistent with the recognition in the NAA and EAA presentation given by Mark Logan and Simon Battersby that external patrolling was part of the counter-terrorism security operation.

However, the difference between the plain meaning of the document and the way Showsec approached its activity at the Arena became clear during the evidence.

Thomas Bailey agreed that the natural meaning of this part of the document was that Showsec would conduct patrols which would have included a counter-terrorism element of the whole of the City Room.408 However, in fact, Showsec did not approach its work in the City Room in this way.409

That Showsec had not recognised the need to conduct security patrols of the City Room is found later in the same document. The City Room is specifically addressed. The threat of a suicide bomber in the City Room is identified. A number of “Control measures” are listed. None of the control measures listed include the use of security patrols of the City Room.410 This absence is consistent with the pre-egress checks which Showsec in fact carried out, none of which could properly be characterised as a patrol with a counter-terrorism element of the City Room. Omitting patrolling which included a counter-terrorism element of the City Room as a control measure was a serious failure, particularly in circumstances where Showsec had identified earlier in the document the importance of patrolling as a mitigation against the risk of terrorist attack both in the same document and in the NAA and EAA presentation given in April 2016.

Thomas Bailey recognised that, even prior to the terrible events on 22nd May 2017, the use of patrols was an “obvious” control measure against the threat of a PBIED in the City Room.411 His explanation for its absence in the relevant part of this document was that the focus was on the crowd and where it went.412

A further deficiency with this document relates to the inclusion of the pre-egress check sheet in Appendix 2. This appendix relates to searching in the event of a bomb threat. Included within it was the pre-egress check sheet.413 It emerged that it had been included in error and was said by Showsec to have had nothing to do with counter-terrorism.414 The explanation for this error was that the pre-egress sheet appeared on the back of a relevant document and the scanning process when the Counter Terrorism Awareness 2017 document was created had incorrectly included it.415

The inclusion of the pre-egress sheet was an easily avoidable mistake. It was also a highly unfortunate mistake as it was capable of giving rise to the false impression that Showsec’s pre-egress check was a counter-terrorism patrol or a patrol including a counter-terrorism element. On the face of the pre-egress sheet, this was a patrol which included the “entire” City Room. Senior SMG personnel said this is what they thought was, in fact, occurring.416 None of them, though, drew attention to the inclusion of the pre-egress sheet in the Counter Terrorism Awareness 2017 document as giving rise to that belief.

It was asserted on Showsec’s behalf that the purpose of sending this document to SMG was “so that SMG could understand how Showsec was addressing this aspect [the counter-terrorism procedures] to secure the safety of the event goers.”417 As such, it was highly unfortunate that a plain reading of it would be likely to mislead the reader into believing Showsec was undertaking patrolling that in fact it was not.

The failure to include patrolling as an express control measure against the risk of a suicide bomber in the City Room is a substantial deficiency in this document. Insofar as the document might be thought to support the risk assessment process, it was insufficient and unsuitable by reason of this obvious and significant omission.

Showsec’s approach to this document is a good demonstration of the importance of the role of proper risk assessments. Although the document appears to recognise the importance of patrolling, when considering the specifics of the City Room, that measure is entirely overlooked. Had it been recognised and included when this document was drawn up, as it should have been, a proper system of patrolling would have been implemented in the City Room by Showsec. This would have included patrolling on the mezzanine level. This is likely to have led to the identification of SA as suspicious prior to 22:15 on 22nd May 2017.

Ariana Grande concert: event-specific risk assessment

The Ariana Grande concert appeared in a document which listed a number of events under the heading “Event Risk assessment category”. In that document, the Ariana Grande concert was identified as being an “Event Category A”. This event category is identified as being “low risk”.418

It became apparent in the course of the evidence that the phrase “Event Risk assessment category” was a reference to the process by which the minimum required seniority, experience and education of the Head of Security for an event was identified.419 Documents of the type which included the Ariana Grande concert were usually completed quarterly.420 This meant that some events would be considered in excess of two months prior to taking place.421

Thomas Rigby, who was Head of Security for the Ariana Grande concert, accepted it was not a risk assessment.422 The selection of the Head of Security process did not include any assessment of the threat from terrorism to the event.423 Showsec has since renamed this process better to reflect its true objective.424

There was no written risk assessment prepared by Showsec specific to the Ariana Grande concert which included assessing the risk to attendees from terrorists. There should have been. Assessing each event individually for all risks should have been part and parcel of Showsec’s standard way of operating. When done correctly, the risk assessment process should refocus attention on the control measures which will be required. This should affect the content of the briefings.

Showsec have since commissioned another company to assist in the carrying out of its risk assessment for terrorism.425

Communication, coordination and co-operation

SMG and Showsec should each have taken into account the steps being taken by the other when conducting risk assessments. Showsec needed a very clear understanding of what SMG were doing in relation to CCTV because CCTV played an essential role in the overall counter-terrorism strategy. SMG needed a very clear understanding of what Showsec was doing in relation to patrolling, for the same reason. The necessary level of communication, coordination and co-operation was not achieved.

Both SMG and Showsec needed to know BTP’s deployment plan for each and every event. That way, both could plan on the basis of what they knew BTP would be doing.426 This would have provided the opportunity to discuss and plan for the situation where BTP did not do as expected. Again, what should have occurred, did not.