Skip to main content
Volume 1: Security for the Arena
Volume 1: Security for the Arena (large format)

Recommendations

Guarding against complacency

My overarching impression from the evidence is that on 22nd May 2017 and in the lead up to the Ariana Grande concert, inadequate attention was paid to the national level of the terrorist threat by those directly concerned with security at the Arena. The threat level was severe. That meant that a terrorist attack was highly likely.

None of those directly concerned with security at the Arena on 22nd May 2017 considered it a realistic possibility that a terrorist attack would happen there.

If SMG had paid greater attention to the threat level, it would have taken more steps to mitigate the danger of a terrorist attack in the City Room on 22nd May.

If Showsec had paid greater attention to the threat level, it would have taken more steps to mitigate the danger of a terrorist attack in the City Room on 22nd May.

If Mohammed Agha and Kyle Lawler had considered the concerns expressed to them about SA in light of the threat level, they would have made greater efforts to ensure those concerns were reported to their supervisors.

If BTP officers had that level of risk in their minds when they carried out their duties that night, they would not have been absent for such a long period from the public areas of the Victoria Exchange Complex. In particular, one of them would have been in the City Room in the half hour period before egress and therefore during part of the period that SA waited there before detonating his bomb.

One of the reasons why inadequate attention was paid to the threat level was that it had been in place for some years. I make no criticism in respect of the length of the period during which a severe risk was identified. As long as the threat level is severe, the appropriate level of vigilance must be maintained. The problem is that it becomes more and more difficult to ensure that people maintain the high level of alertness required in relation to potential dangers. A high level of alertness needs to be maintained when the threat level is severe.

It is necessary to continuously remind those whose job includes being alert to the terrorist threat of the level of it and what that level means in relation to the possibility of an attack.

There ought to be a risk assessment for every venue. A specific risk assessment for each event which involves the attendance of a substantial number of people. All risk assessments for large concert venues should include consideration of the risk of a terrorist attack. Inadequate consideration of that risk may result in incorrectly identifying a low risk. This in turn may cause those responsible for security to be insufficiently alert. That is what occurred here.

It was suggested during the evidence that this was unnecessary, as everyone knew the threat level of a terrorist attack and would have regard to it in the way they behaved. I do not agree. While in theory that may be true, the discipline of undertaking a risk assessment will assist in keeping the threat of terrorism at the forefront of the minds of those who prepare for the event.

Robust procedures are necessary to counter the threat of a terrorist attack. The purposes of those procedures and the necessity of following them must be understood by those carrying them out

The following are three examples of procedures which should have been more robust.

It needed to be made absolutely clear and to be understood by the BTP officers that patrolling the areas of egress in the half hour before the end of the concert was not optional, it was mandatory because of the security risk. There needed to be at least one experienced police officer on duty at the Victoria Exchange Complex on the occasions of concerts, preferably a sergeant, in addition to inexperienced officers, to ensure that nobody forgot the threat level and carried out their instructions with it in mind.

The pre-egress checks carried out by Showsec ignored almost entirely the terrorist threat. Those checks concentrated instead on making sure that the exit routes for the crowd were clear. That was important but it was also important that there should have been a counter-terrorism aspect to the checks. Anyone who had the threat level at the forefront of their mind would have realised that.

Showsec should have understood that its staff had a responsibility to check the mezzanine as part of a security patrol. SMG should have had a system in place to make sure that security patrols were taking place and being carried out properly.

In order for necessary security procedures to be maintained, each person needs to be reminded of the counter-terrorism aspect of their activities. The message that counter-terrorism measures are vital needs to be constantly reinforced.

Those responsible for security should be briefed at every event about the current threat level and risk of terrorist attack.

I accept that repeating the same warning about terrorism as part of each briefing creates a risk of it being ignored and those who have heard it before may listen less than attentively.

The evidence I heard from Showsec is a good illustration of this issue. The Showsec supervisors’ and stewards’ briefings on 22nd May 2017 both include the importance of being vigilant for suspicious behaviour. As the events which followed demonstrate, that was insufficient to keep people safe. However, the fact that this measure was not effective on this occasion is not a reason to abandon it. Rather, it is a reason to do it better.

Those receiving the warning about the risk of attack have to be aware of the potential that they will become desensitised to the message. Those giving the warning need to be aware of this and must try to refresh the message so that it is sufficiently updated and relevant to attract the attention of the listener.

Showsec operated a system of having a period within the supervisors’ briefing for a particular topic which was selected from a number of possible options, one of which was counter-terrorism. This was, in my view, a good way to ensure that additional detail was provided without the subject matter becoming stale.

Any and all suspicious behaviour by event-goers or members of the public close to a venue must be noted. It must be reported promptly so that investigations can be made and action taken, if appropriate.

When this recommendation is followed there will be false alarms. While this may be frustrating, it is important that the way false alarms are dealt with does not discourage the reporting of suspicious behaviour. If unnecessary reports are made, the remedy should be to train staff better to recognise suspicious behaviour, rather than criticise them for making the report. It is not easy for staff, particularly junior ones, to make reports that they know may result in disruption to an event or inconvenience a large number of people. They need to be given the confidence to do so.

Bomb hoaxes can cause great inconvenience, but no-one can safely ignore bomb warnings. So it is with suspicious behaviour. It should only be ignored when an innocent explanation has been verified. There was evidence of a number of such false alarms during the Inquiry, but staff should be congratulated and not criticised either expressly or implicitly for raising the alarm. Showsec and SMG were clear that they did their best to get this message across but, on the evidence, it did not seem to have got through to all of their staff. In particular, the system for capturing reports and ensuring their proper investigation was not sufficiently robust.

Where hostile reconnaissance is suspected it needs to be properly recorded and reported to the police. The police should investigate it and report back. Briefings to security staff need to include details of the suspected hostile reconnaissance. This is so that staff know what has happened and know what to look out for.

The Protect Duty

A consequence of the Attack has been that impetus has been given to the idea of introducing primary legislation putting in place a ‘Protect Duty’. That is an obligation for those with responsibility for publicly accessible locations to consider and, where required, implement security measures in order to protect the public. The government proposes to introduce the necessary legislation and is conducting a Consultation on what it will contain.

During the hearings in 2018 of the Intelligence and Security Committee of Parliament into the 2017 attacks, Counter Terrorism Police told the Committee that a Protect Duty was “not something which seems likely at the moment in law”.

In its report which included recommendations, at Recommendation LL the Committee said at page 104: “…we remain concerned that there appears to be no way of mandating owners of public places to install necessary protective security measures where they do not do so voluntarily. This issue becomes yet more difficult where sites have multiple owners. The Government should consider clarifying the legal responsibilities of both site owners and relevant public authorities in this regard.”’

Things have clearly moved on.

The progress is a testament to the efforts of Figen Murray, whose son Martyn died in the Attack. In his memory and in recognition of Figen Murray’s work, the proposed new legislation has become known as ‘Martyn’s Law’. Everyone who took part in the Inquiry has rightly paid tribute to her efforts.

Legislating for a Protect Duty is an ambitious project. It is intended to put in place legal requirements which will apply to all spaces to which the public have access. There have been other schemes which have been designed to protect the public in crowded spaces. These have been more limited in scope and have not been wholly successful. The first was targeted at buildings which were considered to be ‘vulnerable’. The most recent one was aimed at crowded spaces which would be ‘attractive’ as targets for terrorists. This is the one which the Arena accessed through the input of a CTSA. I have dealt with that scheme in relation to the Arena in detail in the course of Volume 1.

There were drawbacks to both the schemes which were implemented through CTSAs. The first was that they applied to a relatively limited number of locations and, perhaps more importantly, they were voluntary schemes and occupiers of premises were not obliged to implement recommendations made by CTSAs. As I have already said, SMG did take up the offer of assistance and did implement recommendations which had been made. The shortcomings in the scheme as it affected the Arena are made clear in Volume 1.

The idea of a more comprehensive Protect Duty has been under consideration for a number of years. DAC D’Orsi said that she had been an advocate for it ever since she took up her previous job dealing with terrorist cases. Shaun Hipgrave, who is in charge of policy around the Protect Duty at the Home Office, has also been a supporter for some time. The need for a different scheme was partly because of the lack of success of the previous schemes and also because of the change in the methodology of the attacks carried out by terrorists.

The government proposal is very wide ranging and, while simple in design, it will be complicated to put into operation. The proposal is that the Protect Duty will apply to every space to which the public has access so that wherever members of the public go within a public space some person or organisation will have the responsibility to take steps to protect them against a terrorist attack.

The Consultation considers three different areas to which a Protect Duty may apply. First, public venues which are capable of accommodating an audience in excess of 100; second, large organisations employing more than 250 people; and third, public spaces. Each of these different categories will cover a wide variety of locations with very different levels of risk.

The Inquiry has been concerned with a large arena which comes within the first category. Very different issues may arise for the Protect Duty for the second two categories.

I have not heard evidence and I have not considered submissions on how to make large organisations or public spaces secure, so I will restrict myself principally to dealing with the proposed Protect Duty as it applies to large, public venues. Some of my observations will be relevant to the other two categories.

There is already legislation which is capable of requiring consideration of the risks of a terrorist attack in some buildings. As is correctly pointed out by the government, existing legislation does not cover all the areas that they wish a Protect Duty to cover. A Protect Duty is therefore needed in addition to existing legislation, but it does not mean that existing legislation should be ignored.

Whenever a new Protect Duty has been considered, questions of proportionality have arisen. It is important that, as far as possible, the risk of a terrorist succeeding is eradicated or minimised. While we look to the Security Service and Counter-Terrorism Police to discover plots before they can come to fruition, they cannot prevent every terrorist plot as they themselves have said. That is not a reflection on how they do their jobs, it is the reality. Nor is it any comment on whether SA’s plot could or should have been stopped by the Security Service and Counter-Terrorism Police. I shall be considering that issue in Volume 3 of the Report.

Doing nothing is, in my view, not an option. Equally, the Protect Duty must not be so prescriptive as to prevent people enjoying a normal life.

Working out what is a proportionate response is a matter for society through Parliament. Any increase in protective measures is likely to affect both those implementing them and may affect members of the public. I have seen the horrific outcome of the Attack on 22nd May 2017 and the appalling consequences it has had for the bereaved and survivors. I recommend that, when considering what is the appropriate Protect Duty for premises like the Arena, a high standard of protective security is justified.

An important question for the government will be whether setting the level for the Protect Duty in the first category at venues with a capacity of 100 or more is workable. Very different issues will arise for venues capable of accommodating an audience of only 100 people and one capable of accommodating many thousands such as the Arena.

The Consultation’s stated aim is for “light touch” regulation. While that may be justified when dealing with smaller venues, it seems to me that different considerations should apply to larger commercial premises. Not only are the potential consequences so much more serious but, for that reason, these premises are more likely to attract the attention of terrorists. They are also likely to have greater resources to put protective measures in place.

I recommend that when considering the shape of the legislation, the government considers whether it will be necessary to have further categories above the 100 capacity. While categorising by capacity may be the most straightforward way of deciding on the nature of the Protect Duty to be imposed, there may be other factors that need to be considered. For example, it may be appropriate to use different capacities depending on whether the venue is indoors or outdoors. This will need to be considered.

For venues capable of accommodating large audiences, it seems to me that considerations of eliminating or reducing risk from terrorist attacks should be part of the pre-building process. Once premises are constructed, it may be that compromises in the discharge of the Protect Duty will be reached to enable the premises to trade. For example, one of the principal reasons that SA was able to detonate his bomb was the difficulty of making the City Room secure because of its design and use.

I consider it is important that before premises are built, or there is a change of use, consideration is given to whether the design is suitable for providing the level of security required by the Protect Duty. In the end, it would be better for developers to know in advance whether their building was likely to comply with any Protect Duty rather than face difficulties after they have constructed the building.

Safe means of entry and egress can be considered before the premises are built, so that security difficulties such as those caused by access through grey spaces can be resolved. The nature of the risks and threats from terrorists change, as we have seen over the past decade. While it may be impossible to consider every possibility at the construction planning stage, many could be.

There are already statutory requirements which could cater for this. It could be done as part of the construction planning or the licensing process. Considerations of public safety are already part of the licensing process and there is no reason why consideration of the vulnerability of a terrorist attack in new premises should not be part of the planning process. I understand this could come within the present planning legislation, but if a widening of the ambit of planning permission was required, there is no reason why that could not be achieved by government guidance or, if necessary, the primary legislation which will be required to introduce the Protect Duty.

Similar considerations apply to licensing permissions. Any building such as the Arena would require a licence to permit public entertainment and the sale of alcohol. Public safety has always been a consideration in the granting of licences and the clear terms of the Licensing Act 2003 mean that it still is.

I recommend consideration is given to these matters when legislating for a Protect Duty. The Home Office, in their submissions to me, indicated that they will consider reviewing the Licensing Act 2003 guidance once a Protect Duty has been brought in. An addition to that guidance is all that would be required. Any change in the guidance needs to be consistent with a new Protect Duty and there seems no reason why it should not be issued at the same time as the introduction of the new duty.

When dealing with large venues such as the Arena, I see no reason why regulation as part of the Protect Duty should not be rigorous. Regulation dealing with other matters of public safety such as food hygiene is rigorous. I do not see why prevention of terrorist attacks should not be treated in the same way. It would be comforting to think that threats from terrorist groups might be short-lived but there is no evidence to support that.

The Duty

In my view there should be the following requirements as part of the Protect Duty when dealing with large premises.

First, it will be necessary to identify what the nature of the duty will be.

There already exists a statutory form of words which Is appropriate to define the extent of the duty, so it is unnecessary to create a completely new formulation. I recommend that a formulation of the duty could be to take such steps as are ‘reasonably practicable’ to ensure the security of members of the public while they are on land, or in premises, with express or implied permission to be there. Members of the public falling into this category will be those to whom the Protect Duty is owed. It should include employees of the Protect Duty-holder.

The meaning of reasonably practicable is well established. It is used within health and safety legislation which will have some similarities to a Protect Duty. I have included a new concept of ‘security’. My recommendation is that security in terms of a Protect Duty should mean protecting those to whom the Protect Duty is owed from harm as a result of a terrorist attack.

The next step will be to identify who should be subject to a Protect Duty. That is not necessarily a straightforward exercise. Identification of the persons and organisations subject to the Duty needs to be simple.

The Consultation proposes that the Protect Duty should fall on the owners of land and occupiers. That seems a sensible starting point. Depending on the circumstances, it may be easy for owners to discharge their duty. For example, the owners of premises like the Arena are likely to discharge their Protect Duty by contractual obligations imposed directly on the occupier or on the head lessee who can then pass them on to the occupier. It would then be a matter of the application of the reasonable practicability test to decide whether more was required of an owner. This will depend on the individual circumstances.

Deciding who is subject to the Protect Duty becomes more difficult in relation to areas over which a number of people have rights. When considering an area such as the City Room, there may be an owner, a head lessee and others who have premises adjacent to it who have rights for themselves and their customers to pass over it. All of these could, and probably should, have a Protect Duty over the parts of the common area which their visitors use. The extent of that may depend on the type and amount of use they make of the common space.

Deciding who has a Protect Duty in relation to a shared space, what the extent of each duty is and how the duty is going to be fulfilled by the different parties will be difficult. In the case of the Arena the problem did not arise as, by virtue of the facilities management agreement, SMG were contractually responsible for security in the City Room. Reaching such a contractual arrangement would be sensible and may be necessary but may not be readily reached in some cases where such a communal space exists. Imposing a Protect Duty by legislation on, for example, owners of shopping arcades which they never had in their contemplation at the time they let units in the arcade, is capable of leading to unfairness.

As suggested in the Consultation, the preferred way of dealing with any problems between different Duty-holders would be to encourage agreement between the various parties as to how they should collectively discharge the Protect Duty. It has to be recognised that that may not be possible, and a mechanism may have to be considered to enforce a resolution.

I recommend consideration of a Protect Duty on others who have no legal interest in the property but have responsibility for security. For example, Showsec who were involved in crowd management and security, activity which Showsec accepts had a counter-terrorist element, would not be covered by an ownership or occupation-based duty. On the evidence that I have heard, there is a strong case for making an organisation, such as Showsec, subject to such a Duty. It may be that this can be provided for contractually between the owners or occupiers of the premises and any company employed by them to provide security, but there could be difficulties where the contract is already in existence.

There may be a decision to be made as to whether the government will itself be made subject to a Protect Duty or whether some government agencies will be. Police services would not be covered by a property-based Protect Duty except on their own land. While the Police would, no doubt, be required to protect the public from a terrorist attack without such a duty, the existence of a positive Protect Duty might provide a framework and reinforce the need for constant vigilance. One of the matters revealed by the evidence given at the Inquiry has been the difficulty in keeping people aware of the risk of a terrorist attack, particularly when the threat level remains the same for a long period of time.

Local authorities provide protective security through the operation of CCTV which does not cover land that they own. It is important that the operators of CCTV have sufficient training to observe hostile reconnaissance and suspicious behaviour and it may be that consideration should be given to making local authorities subject to a Protect Duty.

Communication, coordination and co-operation between those with a responsibility for keeping the public safe

One of the recurring themes of this Inquiry has been the need for co-operation between different people and organisations in the interests of everybody’s safety. All employers are already under this duty by reason of the health and safety regime in relation to shared workspaces.

All those concerned with or occupying the Victoria Exchange Complex in which the Arena was located should have been co-operating together over security, particularly those working in the station and the Arena.

The CTSA advising the station and the CTSA advising the Arena should have carried out at least part of their security assessment together. Showsec should have been involved with the CTSA when security matters were discussed with SMG.

BTP should have liaised more closely with both SMG and Showsec. Each should have known what the other was doing, so that the protective measures each provided were complementary. Showsec, in submissions to me, argued that once the audience members left the Arena and entered into the City Room, primary responsibility for their safety from a terrorist attack was on BTP as this was a ‘public space’.775 As a matter of fact and law, I do not believe that that is accurate. The City Room was a privately owned space, in to which the public was permitted except between 00:00 and 05:30 each day.

Whether or not it is accurate as a matter of law, it reflects in my view the wrong attitude to approaching the terrorist threat. While we enjoy the freedoms that we do, no police service or the Security Service can hope to eliminate all terrorist threats. It is up to everybody to carry out their part in trying to prevent terrorist attacks. Co-operation is required from everybody and attempts should not be made to pass on responsibilities to others. It is to be hoped that a Protect Duty will achieve this by legislation, as commercial pressures may mean that it will not be achieved on a voluntary basis.

In my view, the Protect Duty should include a requirement that, where there is more than one Protect Duty-holder in relation to any particular protected space, that person should co-operate, communicate and act in a coordinated manner with other Protect Duty-holders in order to discharge their own Protect Duty.

Summary of the Protect Duty process

The exact mechanics of how the Protect Duty will work in practice will be a matter for Parliament to determine. However, I recommend that it will need to include the following stages:

1) The Protect Duty-holder must assess the risks.

2) In light of the risk assessment, the Protect Duty-holder must decide what needs to be done to mitigate the risks.

3) The Protect Duty-holder should carry out the actions which have been identified.

4) There should be a system of checking that the actions have been carried out.

5) If there has been a failure to carry out the actions, enforcement action should follow.

I make some suggestions as to the detail below, which I hope will assist.

The Protect Plan

Central to the whole process of discharging the Protect Duty should be the preparation of a comprehensive risk assessment, the identification of the control measures and an explanation of how these will be implemented. I will refer to this as a ‘Protect Plan’. It may well be possible that for smaller venues or open spaces, a Protect Plan could be prepared by the owner from a generic list of options. That does not seem to me to be feasible for large venues. It does not seem unreasonable to me that large commercial venues, for which preparation of risk assessments and solutions may be complex, should have to pay for the preparation of the Protect Plan whether by retaining a consultant or employing someone for that purpose.

Experts assisting in the completion of the Protect Plan will require specialist training and a minimum standard of accreditation will ensure that those undertaking this very important task are properly equipped to do it competently. It will be for the security industry, in collaboration with government, to ensure that there exists a recognised standard of training, a ‘kitemark’ of approval and ongoing continued professional development. It may be that the Security Industry Authority could have a role to play in setting the standard.

In some cases, the steps required of Protect Duty-holders will be obvious and straightforward. In these cases expert input may be disproportionate. These Protect Duty-holders should be able to take the necessary steps by accessing publicly available information as to how they should approach their tasks. Below I make recommendations as to how NaCTSO may be able to make a contribution to ensuring the required information is available to those who need it.

In cases in which preparing the Protect Plan is not straightforward and the Protect Duty-holder, such as a charity, does not have the means to pay for assistance, consideration should be given to providing state help for the preparation of the Plan and its implementation.

The Protect Plan should set out the ‘reasonably practicable’ measures to be taken to mitigate the risk of a terrorist attack.

Once prepared, in some cases the police and other state agencies may wish to have an input into the plan before it finalised.

A timetable will need to be set. There will need to be provision for regular reviews and enforcement process. Reviews will not only be needed to ensure that the Protect Plan is still being implemented but to consider possible changes if the terrorist threat alters.

Selecting appropriate staff

The Protect Plan should identify which roles will include a counter-terrorism element. These roles are essential to the successful discharge of the Protect Duty. It is critical that those undertaking these roles are selected with care. This will include ensuring that they have the necessary maturity and confidence to speak up should the situation arise. It should also include ensuring a background check proportionate to the role that they are undertaking has been conducted.

I recommend that the Protect Plan identifies the approach which will be taken to ensuring that only appropriate people undertake work which includes a counter-terrorism element.

Adequate training

Part of the Protect Duty proposals include the provision of training in counter-terrorism. The higher-level training provided by the SIA for employees occupying certain positions should be retained but it is important that managers and all employees have some training. ACT which is a training scheme set up by NaCTSO is suitable for people working in the industry at all levels. All people working in venues such as the Arena should be trained in the basics of counter-terrorism. The nature of the threat changes so it is important that there is regular refresher training.

The provision of adequate training should form a key control measure within the Protect Plan. This will include consideration of the need for enhanced training for those in roles which require it.

I recommend that staff training should form a mandatory part of the Protect Plan.

Rigorous and robust enforcement

It was a common feature of the regulatory schemes that I have heard about during the Inquiry that there were insufficient resources to carry out proper enforcement. The consequence of that is that there have been a number of breaches of regulations which might have been avoided with more active enforcement.

It is important that there is proper enforcement of the Protect Duty, the possible consequences of breaches are so serious that proper steps need to be taken to avoid them happening. It is possible that CTSAs, licensing officers, police licensing enforcement officers and the SIA could all combine to provide enforcement. Even if that happens, it is likely that more people will be required to carry out the work. When cutbacks occur, enforcement can be one of the first areas to lose staff. It would be a false economy in relation to enforcement of the Protect Duty. I recommend that an adequate and effective enforcement process is established in relation to the Protect Duty.

The proposal is that there should be a system of enforcement to ensure that the terms of the Protect Plan which has been determined are complied with. I am satisfied on the evidence that I have heard that there needs to be an enforcement mechanism and the ability to impose a penalty if there is a breach. Part of the reason for the failure of other schemes has been that they have been voluntary. The Consultation suggests that the penalty should be restricted to a civil penalty which would be financial. In those circumstances there would be no conviction. While it is not unusual to have civil penalties for regulatory failures, provision is often made for criminal prosecutions and more severe penalties in more serious cases. I would recommend that the same should apply for breaches of the Protect Duty. It should be borne in mind that this is an area where the possibility of a severe sentence could have a deterrent effect.

In my view, there is no good reason to put in place an enforcement regime that is any less rigorous or robust in terms of inspection, enforcement and penalty than that which exists in the parallel health and safety legislation. Given what is at stake, namely the lives of people going about their everyday business, there is every reason to make the Protect Duty equally rigorous and robust.

Whatever the legislature decides about penalty for breach, inspection and enforcement is likely to be the main deterrent. A proper inspection regime needs to be in force so that serious security breaches are identified and promptly remedied. Even if enforcement is regarded as light touch it is important that there is proper inspection. An effective enforcement regime requires sufficient people to do it properly. All the evidence that I heard suggests that insufficient resources have been put into the present inspection regimes. A proper inspection policy should provide for unannounced inspections as well as planned ones. It may be that the roles of different inspectors can be combined so that for example inspectors looking to see that the Protect Duty was being complied with could also be checking in appropriate locations that licensing conditions are being observed.

I envisage that this may follow a similar approach to that used in relation to health and safety and food standards. By this I mean the existence of a mechanism for issuing a formal notice setting out the remedial steps which are required in relation to any identified deficiencies. For extreme situations, there must be provision for issuing a notice that prevents a venue from operating until remedial steps have been taken. The notice will provide a timescale for compliance. It will also be necessary to have an appeal process for the adjudication on the appropriateness of the terms of the notice, should there be a dispute. It should be a criminal offence to fail to comply with a valid notice without reasonable excuse.

Operators, and people who work for them, are often under financial pressure to try and make savings as has been evident during this Inquiry. I understand that is the commercial reality, but it does mean that a proper inspection regime is needed to give some assurance that savings will not be made at the cost of safety. The security measures may be expensive. It must be more costly to an organisation and individuals to cut corners than to comply with the Protect Duty.

I recommend that enforcement of the Protect Duty is at least as robust and rigorous as comparable regulatory regimes.

Communication, coordination and co-operation between enforcement authorities with overlapping regimes in connection with the Protect Duty

The various regulatory bodies who have responsibility for safety at premises like the Arena need to operate together. CTSAs, the SIA, the Licensing Authority, the Health and Safety Executive and the police all have responsibilities for public safety at premises of this kind. They need to understand what each of them is doing in relation to any particular premises so they do not duplicate but can provide complementary services. I will be reviewing the progress of this as part of my monitoring of the Protect Duty.

I recommend that regulators and other state agencies with responsibilities that engage with any Protect Duty co-operate, coordinate and communicate.

Mandatory first aid training for staff of those under Protect Duty

As well as looking at measures aimed at preventing a terrorist attack, I recommend that the government should also look at simple measures to help to save lives should an attack occur. It has become clear to me during the evidence that it would be beneficial if employees of companies which have a Protect Duty, including SMG and Showsec, were trained in first aid relevant to injuries of the type caused during the Attack on 22nd May 2017.

I recommend that Protect Duty-holders are required to ensure that employees are trained in first aid relevant to injuries which are particularly likely to occur during a terrorist attack.

Centralised NaCTSO library of training materials

The suggestion made by Showsec that NaCTSO should set up a centralised online library where it will be possible to access training material is a good one. This will help in particular smaller organisations who cannot afford to employ professional help to assist them with a Protect Duty. Thought will need to be given to how access might be gained to this to ensure that this information is not misused by those seeking to do harm.

I recommend that NaCTSO sets up a centralised online library for training materials freely accessible to those subject to the Protect Duty.

Generic guidance in relation to the completion of risk assessments in relation to the threat of terrorism

The approach taken by SMG in its written risk assessments involved a numerical assessment of the likelihood of a terrorist attack. This was then used as a multiplier against a severity score. I have considerable reservations about this approach being used in connection with the threat from terrorism. This concern arises from the potential that a strictly statistical approach may suppress any total score to the point where the risk of a terrorist attack is regarded as being sufficiently low as to be acceptable and no action is taken.

There are at least three ways that this could be addressed. One option is to remove consideration of likelihood from the process altogether. This will result in a focus on what can be done without providing for an opportunity for the thought, ‘It will not happen to me’, entering the process. Another is to import it only in relation to drawing a distinction between different attack methodologies. Some spaces may be naturally highly protected from a particular form of attack. In those circumstances, having a mechanism to ensure focus is on the more likely methodologies may be advantageous. A third approach may be to ensure that the severity score range is sufficiently wide so that even when a low likelihood is applied, the total score still remains high enough to produce the necessary measures. A high severity score is clearly justified when considering the very high degree of harm a terrorist attack is capable of causing. I do not believe that a range of between 1 to 5, as was used by SMG, is sufficiently wide.

However, I have not heard sufficient evidence to express a concluded view on the best way to complete such a risk assessment. Nor have I heard expert evidence on the subject to inform me. In my view, NaCTSO is likely to have access to the necessary expertise to consider this issue in detail, identify the best approach and issue readily understandable guidance.

The Health and Safety Executive makes publicly available, via its website, guidance on the completion of a risk assessment, together with a template in the health and safety context.

I recommend that a similar facility should be made available by NaCTSO in relating to the risk of a terrorist attack.

The SIA

As I have already set out, the SIA licences individuals working in the security industry to carry out certain activities. Amongst those activities is operating CCTV over a public space. At present, a licence is only required by those who monitor CCTV under a contract for services. In-house CCTV operators do not need a licence. Although an attempt was made to justify the reasoning for this distinction by Tony Holyland, a senior employee at the SIA, I was unpersuaded. This distinction has been considered in the past, but no change has been made. In-house operators carry out the same job as those who monitor CCTV under a contract for services. The Inquiry heard evidence that more than one SMG employee who carried out monitoring of CCTVs asked for training but were not given it. There seems to me to be no persuasive reason why a licence should not be mandatory for those operating in-house as well as those working under a contract for services. I recommend that the distinction is abolished. All of those who monitor CCTV should be required to hold an SIA CCTV operator’s licence.

In addition to licensing individuals, the SIA runs an Approved Contractor Scheme (ACS). This is a voluntary scheme and, while individuals who carry out security work may require a licence or licences depending on what functions they carry out, companies who provide security and supervise these activities do not. While the ACS provides assurance that the member is a fit and proper person, there is nothing to prevent someone who is not a member of the scheme setting up and running a company providing security services. The SIA promotes good practice through its ACS. But there is no compulsion on companies to become a member or carry out good practice. While checks are made on how a company conducts its business when it applies to join the scheme, self-certification plays a considerable part in the process.

I recommend that consideration is given to amending the SIA legislation to require that companies which carry out security work which may include a counter-terrorism element are required to be licensed. This will ensure that only fit and proper companies carry out this work. It will also ensure that they are aware of and guard against the risks of terrorist attacks at the events where they operate and carry out proper procedures, including training to mitigate those risks.

Training

Training for an SIA qualification is designed to be mainly classroom-based. The SIA does not provide the training itself nor does it award the qualifications, that is done by independent providers who are subject to quality control. The SIA decides what areas the training has to cover. It is important that the quality of the providers is maintained but, providing that happens, it seemed to me to be a satisfactory system of training.

Training providers for the SIA qualification are not meant to rely to a large extent on document-based online teaching, sometimes referred to as e-learning. While e-learning is a convenient method of teaching large numbers of people without having to get them all together, the evidence at the Inquiry was that it is difficult to ensure that the training is properly carried out and it may be possible for the student to make it look as if the training has been done when it has not. That was the case with at least one of the employees of Showsec. There was another example of a Showsec employee doing e-learning on his mobile phone which is unlikely to have been a suitable way to ensure adequate training. Simply using good quality e-learning material is not sufficient. What is important is ensuring that the trainees have absorbed the learning. As was said in other contexts in the Inquiry, the learning needs to become part of the ‘muscle memory’. I recommend that there should not be undue reliance on e-learning and its limitations need to be recognised.

I recommend that if e-learning is used, there should be follow-up to ensure that the training has been understood. This can either be done while the job is being carried out or in a classroom. If this follow-up is carried out while the job is being carried out, it should be timetabled and recorded.

Should the period of training be paid for by the employer?

The SIA says that even with employees who are licence holders, it expects employers to provide continuous training. An issue arose as to whether training should be provided during paid time or during the employees own time. It seemed to be generally accepted within the security and crowd control industry that stewards who have been accepted for work but have not yet started should do their basic training during their own time.

The reason for this is that people who have been accepted as employees not infrequently do not take up the job, having found something else to do. While it is understandable that future employees are not paid for this time, it provides an incentive not to do the training especially as the training at that stage is most frequently e-learning. This makes it all the more important to ensure that new employees have diligently undertaken this training.

I recommend that employees should get further training after they have started their employment and they are paid for that training time. Training is important and it requires both employees and employers to take it seriously. Giving payment for doing it would encourage this and ensure that employees realise that employers take it seriously.

Primacy

The issue of primacy is relevant to both Volumes 1 and 2 of my Report. For that reason, I will not be giving any final recommendation on primacy until I publish the part of the Report which deals with the emergency response. I have received from BTP and GMP an interim memorandum776 on the policing of the Victoria Exchange Complex for which I am grateful and which I have considered. In case it may be helpful, I will set out my present thinking on the evidence that I have heard so far. While there may be other sites where similar considerations arise and my recommendations may be relevant to them, I do understand that the issues at different sites are likely to be unique both in terms of location and resources.

It is important that any decision about this is made solely on the basis of providing the best policing service for the public. There is always a risk that decisions will be influenced by a desire to retain areas of work because to do otherwise may be perceived as a of lack of competence. Equally, there can be a desire to take over another area of work to increase the influence and reach of a particular organisation.

As I set out in Part 7, BTP officers have jurisdiction to act with the powers of a constable in the Victoria Exchange Complex because of the ownership of the site by Network Rail. GMP officers also have such jurisdiction. They are concurrent jurisdictions. During the evidence it seemed that this fact was not clear to all officers. It is this that makes it necessary for a decision to be made on primacy.

It makes sense to me that routine policing of the City Room, by which I mean policing on days when there is no event taking place at the Arena, should remain with BTP. BTP will be on site because its officers police the station. As a result of BTP’s policing of the City Room to date, its officers have formed good relationships with the occupiers of the whole Victoria Exchange Complex and there is no suggestion that they have not done routine policing satisfactorily.

On event days, the situation is different. If there were to be a major incident connected with the Arena, it is inevitable that GMP would become involved in dealing with it. It is always likely to be the position, and certainly is the case now, that GMP will have greater resources immediately available than BTP in order to deal with a major incident in Manchester.

The handling of major incidents by BTP is done from Birmingham and/or London. While it is possible to do this with the assistance of modern technology, there will always be advantages in dealing with the matter locally if, for no other reason, because of a greater knowledge of the area.

If GMP are going to have to deal with any major incident arising from an event, it would seem sensible that GMP should be in charge of the policing intended to prevent a major incident happening. It would also have the additional benefit that GMP would be on site if anything was to happen. Although it is a matter of detail which is best decided by the individual police services, there seems to me to be good reason for primacy to transfer before the doors open for the event and transfer back a short period after the doors are closed.

Finally, GMP may already be involved in policing any crowd leaving the Arena when they come onto the street and it would be convenient for GMP to police the area right up to the time when the crowd has dispersed from it.

This does not mean that BTP would have nothing to do with the crowd who attended events at the Arena. BTP would be under a duty to ensure their safety and the safety of railway users as they passed through the station to reach the road. It would inevitably be a combined operation so there should be continued liaison between BTP and GMP over policing associated with events.