What Does This Mean For Organisations?

WHAT DOES THIS MEAN FOR ORGANISATIONS?

1. Engage with freely available counter-terrorism advice and training provided by the Government and the police.

2. Conduct vulnerability assessments of their operating places and spaces, considering the impact to the public.

3. Mitigate the risks created by the vulnerabilities using ‘reasonably practical’ measures.

4. Have a counter-terrorism plan.

5. Plan for the threat of terrorism.

Protect Duty Legislation will impose that organisations consider the threat of attacks and take forward proportionate measures to reduce the risk. The current proposal consists of five requirements, this states that public venues and large organisations within the scope of a Protect Duty will be obligated to:

REQUIREMENTS FOR MEASURES TAKEN

The overall requirement is for organisations to identify areas with a potential risk of terrorism and to implement plans to mitigate them. Requirements for appropriate action taken could include:

Implementing proportionate measures through relevant systems, processes and functions to improve public safety and security
Introducing physical & procedural security to limit the freedom of movement of an attacker
Establishing clear roles and responsibilities for local partners
Working with key partners (e.g. police) to consider how a security plan would operate in priority local areas
Technology solutions that support the identification of potential threat, limit the opportunity for an attack and coordinate a response in the event of an attack
Training for staff to enable them to recognise and respond to a potential threat

HOW WILL COMPLIANCE BE MEASURED?

A risk assessment based method is encouraged.

It is currently proposed that “compliance would be demonstrated by providing assurance that the threat and risk impacts have been considered, and appropriate measures have been considered and taken forward (implemented or plans in place for their progression)”.

These risk assessments will need to be recorded and retained by organisations to demonstrate that action has been taken, should evidence ever be required. They will also need to be reviewed at least once a year and when circumstances change either with their external or internal risk context.

Internal risk context - for example, following an expansion of an organisation’s premises and/or staff numbers, or a change in the business model, such as a restaurant starting to serve customers outside.

External risk context - for example, a significant terrorist attack in the UK or a change in the Government national terrorism threat level assessment.

WHAT HAPPENS IN AN INVESTIGATION?

It is currently anticipated that an inspection regime would be required to evaluate whether those within the scope of Protect Duty are meeting its requirements.

When investigated, organisations will be expected to demonstrate the steps that have been taken to prepare for and/or respond in the event of an attack. This may also include providing completion certificates from appropriate staff training courses, evidence of physical security measures and evidence of an attack response plan. Where steps have not been taken, they will be expected to explain why.

Given the severe impacts that could occur as a result of a breach, it is proposed that a new offence is created for organisations who persistently fail to comply. This would involve penalties based on civil sanctions (such as fines).

Once the inspection has finished, inspectors will have the capacity to provide advice and guidance for organisations. Where measures were considered insufficient, inspectors can request that changes are made within a set timeframe. If these are not taken forward, further steps could include notices of deficiency and enforcement action.