WHAT IS PROTECT DUTY
Protect Duty is a proposed law in the United Kingdom aimed at improving public safety and preventing terrorism. It would require businesses and organisations to take active measures to identify and mitigate the risk of terrorist attacks.
The idea of Protect Duty was first proposed in March 2019, following a spate of terrorist attacks in the UK. The government launched a public consultation on the proposal, which closed in July 2019. A report on the consultation was published in February 2020, and in September 2020, the government announced its intention to introduce a Protect Duty law.It is anticipated that it will become legislation in Spring 2023.
The proposed law would require businesses and organisations to conduct risk assessments, put in place security measures, and develop and implement a counter-terrorism plan. It would apply to a wide range of organisations, including those in the public sector, critical infrastructure, and crowded places such as shopping centres, sports stadiums, and concert venues. It may include places of worship, such as churches.
The government has said that the Protect Duty law would be based on the "principles of proportionality and risk-based decision-making." This means that organisations would be required to take measures that are appropriate to the level of risk they face. The law would also consider the size and resources of organisations, so that smaller businesses are not unduly burdened.
Some of the measures that organisations could be required to take under Protect Duty include:
Conducting regular risk assessments to identify potential threats and vulnerabilities.
Developing a counter-terrorism plan that outlines how to prevent, respond to, and recover from a terrorist attack.
Implementing security measures such as CCTV, access control, and screening of people and vehicles.
Providing training and awareness-raising for staff and stakeholders.
Cooperating with law enforcement and other authorities in the event of an attack.
The government has said that it will work with businesses and organisations to develop guidance on how to comply with Protect Duty. It has also said that it will provide support and funding to help organisations implement the necessary measures.
There has been some criticism of Protect Duty from civil liberties groups, who have raised concerns about the potential impact on individual rights and freedoms. Some have also questioned whether the law will be effective in preventing terrorism. However, the government has said that Protect Duty is necessary to address the evolving threat of terrorism and to ensure that businesses and organisations are doing everything they can to protect the public.
In summary, Protect Duty is a proposed law in the UK that would require businesses and organisations to take active measures to identify and mitigate the risk of terrorist attacks. It would apply to a wide range of organisations and would be based on the principles of proportionality and risk-based decision-making. The law would require organisations to conduct risk assessments, develop and implement a counter-terrorism plan, and implement security measures. The government has said that it will work with organisations to develop guidance and provide support and funding to help them comply with Protect Duty.
The proposed law would create a legal duty on organisations to take reasonable steps to prevent terrorist attacks from occurring on their premises, or in relation to their activities. This would include a wide range of organisations, such as those in the public sector, businesses, and voluntary organisations.
The law would be based on a risk-based approach, which means that organisations would need to assess their own risks and develop measures that are proportionate to the level of threat they face. This approach recognizes that different organisations face different levels of risk and would not impose a "one-size-fits-all" approach.
The government has said that it will provide guidance to help organisations comply with the law. The guidance would cover topics such as how to conduct a risk assessment, how to develop a counter-terrorism plan, and what security measures organisations should consider.
In addition to these measures, the government has proposed the creation of a new statutory body called the Protect Duty Commissioner. This Commissioner would have oversight of the implementation of the Protect Duty across different sectors and would provide advice and support to organisations.
The Commissioner would also have the power to issue enforcement notices to organisations that are not complying with their Protect Duty obligations. The notices would require the organisation to take certain actions to improve their security measures. Failure to comply with an enforcement notice could result in fines or other sanctions.
The government has said that it recognizes that complying with Protect Duty would require resources and that some organisations may need support. To address this, it has proposed a Protect Duty Fund, which would provide financial support to help organisations implement the necessary measures.
The government has emphasised that the proposed law is not intended to be prescriptive, and that organisations would have flexibility in how they comply with their obligations. It has also said that it recognizes the importance of protecting civil liberties and that the law would be subject to human rights considerations.
There has been some debate and criticism of the proposed Protect Duty. Some have raised concerns about the potential impact on civil liberties, particularly in relation to increased surveillance and monitoring. Others have questioned whether the law is necessary, given existing legislation and the measures already in place to prevent terrorism.
However, the government has argued that Protect Duty is necessary to address the changing nature of the terrorist threat and to ensure that all organisations are taking appropriate measures to protect the public. It has said that the law would help to create a "culture of security" and would promote greater collaboration between organisations and law enforcement agencies.
Overall, Protect Duty is a proposed law in the UK that would require organisations to take steps to prevent terrorist attacks. It would be based on a risk-based approach, and the government has proposed a range of measures to help organisations comply with their obligations. While there has been some criticism of the law, the government has emphasised its importance in ensuring public safety in the face of an evolving terrorist threat.
The proposed law would require organisations to develop and implement a counter-terrorism plan that outlines how they will prevent, respond to, and recover from a terrorist attack. This plan would need to consider the risks identified through the organisation's risk assessment and would need to be regularly reviewed and updated.
Organisations would also be required to put in place security measures to reduce the risk of a terrorist attack. This could include measures such as access controls, CCTV, and screening of people and vehicles. The type and extent of security measures would need to be proportionate to the level of risk identified by the organisation.
In addition, the proposed law would require organisations to provide training and awareness-raising for staff and stakeholders. This would help to ensure that everyone within the organisation understands their role in preventing a terrorist attack and knows how to respond in the event of an incident.
The government has said that it will work closely with industry bodies and other stakeholders to ensure that guidance on Protect Duty is developed in a collaborative manner. The guidance would need to be practical and user-friendly, so that organisations of all sizes and sectors can easily understand and comply with their obligations.
The proposed law has been broadly welcomed by many organisations, including the security industry, as well as by victims' groups and some members of parliament. They argue that the law is necessary to ensure that organisations are doing everything they can to protect the public from the threat of terrorism.
However, some civil liberties groups have raised concerns about the potential impact of Protect Duty on individual rights and freedoms. They argue that the law could lead to increased surveillance and monitoring, as well as potential discrimination against certain groups. The government has said that it recognizes the importance of protecting civil liberties and that it will ensure that the law is subject to human rights considerations.
In summary, Protect Duty is a proposed law in the UK that would require organisations to take active steps to prevent terrorist attacks. It would be based on a risk-based approach and would require organisations to conduct risk assessments, develop and implement a counter-terrorism plan, and put in place appropriate security measures. The law would also require organisations to provide training and awareness-raising for staff and stakeholders. While the law has been broadly welcomed, there have been concerns raised about its potential impact on civil liberties, which the government has said it will address.
To comply with the proposed Protect Duty law in the UK, businesses will need to take reasonable steps to prevent terrorist attacks from occurring on their premises, or in relation to their activities. Here are some of the key steps that businesses would need to take:
Conduct a risk assessment: Businesses would need to assess the level of risk that they face from terrorism, considering factors such as their location, the nature of their activities, and any past incidents or threats.
Develop a counter-terrorism plan: Based on the results of their risk assessment, businesses would need to develop and implement a counter-terrorism plan that outlines how they will prevent, respond to, and recover from a terrorist attack.
Implement appropriate security measures: Businesses would need to put in place appropriate security measures to reduce the risk of a terrorist attack. This could include measures such as access controls, CCTV, and screening of people and vehicles.
Provide training and awareness-raising: Businesses would need to provide training and awareness-raising for staff and stakeholders, to ensure that everyone within the organisation understands their role in preventing a terrorist attack and knows how to respond in the event of an incident.
Review and update: Businesses would need to regularly review and update their risk assessment, counter-terrorism plan, and security measures, to ensure that they remain appropriate and effective.
The specific steps that each business would need to take would depend on their size, sector, and level of risk. The government has said that it will provide guidance to help businesses comply with the law, which would cover topics such as how to conduct a risk assessment, how to develop a counter-terrorism plan, and what security measures businesses should consider.
In addition, the government has proposed the creation of a new statutory body called the Protect Duty Commissioner, who would have oversight of the implementation of the Protect Duty across different sectors and would provide advice and support to businesses. Businesses that fail to comply with their Protect Duty obligations could face enforcement notices, fines, or other sanctions.
PART 1. Conducting a risk assessment is a crucial part of complying with the proposed Protect Duty law in the UK. Here are some additional details on what this process would involve:
Identify the scope: The first step in conducting a risk assessment is to identify the scope of the assessment. Businesses would need to consider which parts of their operations and premises are relevant for the assessment. For example, they may need to assess the risk of a terrorist attack on their physical premises, on their staff or customers, or on their supply chain.
Identify the potential threats: Once the scope of the assessment has been defined, businesses would need to identify the potential threats that they face from terrorism. This could include threats such as a vehicle-borne improvised explosive device (VBIED), a chemical or biological attack, or a cyber-attack.
Identify the vulnerabilities: Businesses would then need to identify any vulnerabilities that could be exploited by terrorists to carry out an attack. This could include vulnerabilities such as inadequate physical security, poor access controls, or weak cybersecurity. Insider threat and Hostile Reconnaissance may also be vulnerabilities to some organisations.
Assess the impact: Businesses would need to assess the potential impact of a terrorist attack on their operations, employees, customers, and reputation. They would also need to consider the potential financial impact of an attack, including the cost of any damage or loss of revenue and the cost of any business continuity plans.
Determine the likelihood: Finally, businesses would need to determine the likelihood of a terrorist attack occurring, considering factors such as their location, the nature of their activities, and any past incidents or threats.
Once the risk assessment has been completed, businesses would need to use the findings to inform their counter-terrorism plan and the security measures that they put in place. The level and extent of security measures would need to be proportionate to the level of risk identified by the assessment. The government has said that it will provide guidance to help businesses conduct their risk assessments, which would cover topics such as how to identify potential threats and vulnerabilities, and how to assess the likelihood and impact of an attack.
PART 2 Developing a counter-terrorism plan is a crucial step that businesses would need to take to comply with the proposed Protect Duty law in the UK. Here are some additional details on what this process would involve:
Prevent: The first part of a counter-terrorism plan is focused on prevention. This would involve outlining the steps that the business will take to reduce the risk of a terrorist attack occurring. This could include measures such as access controls, CCTV, screening of people and vehicles, and training for staff on how to identify suspicious behaviour.
Respond: The second part of a counter-terrorism plan is focused on response. This would involve outlining the steps that the business will take in the event of a terrorist attack, to minimise the harm caused and to prevent the attack from escalating. This could include procedures for evacuating staff and customers, communicating with emergency services, and providing first aid.
Recover: The final part of a counter-terrorism plan is focused on recovery. This would involve outlining the steps that the business will take to recover from a terrorist attack, including measures such as repairing any damage to premises, restoring IT systems, and providing support for affected staff and customers.
The counter-terrorism plan should be based on the findings of the risk assessment and should be tailored to the specific risks faced by the business. It should be regularly reviewed and updated to ensure that it remains up-to-date and effective.
In addition to the counter-terrorism plan, businesses would need to ensure that they have appropriate governance arrangements in place to oversee the implementation of the plan. This could include appointing a senior manager with responsibility for counterterrorism, establishing a cross-functional team to oversee the plan, and ensuring that staff are trained and aware of their responsibilities under the plan.
The government has said that it will provide guidance to help businesses develop their counter-terrorism plans, which would cover topics such as how to develop effective prevention, response, and recovery strategies, and how to establish appropriate governance arrangements.
PART 3 Implementing appropriate security measures is a critical part of complying with the proposed Protect Duty law in the UK. Here are some additional details on what this process would involve:
Access Controls: One of the security measures that businesses can use to reduce the risk of a terrorist attack is access controls. This could include measures such as using key cards or biometric scanners to restrict access to certain areas of the premises or using barriers and bollards to prevent vehicles from getting too close to buildings.
CCTV: CCTV is another security measure that businesses can use to reduce the risk of a terrorist attack. CCTV can help to deter potential attackers and provide evidence in the event of an attack. It can also help businesses to monitor their premises and identify any suspicious behaviour.
Screening of people and vehicles: Businesses may also need to screen people and vehicles entering their premises to reduce the risk of a terrorist attack. This could include measures such as bag searches, metal detectors, and vehicle searches.
Physical security: Physical security measures such as reinforced doors and windows, perimeter fencing, and security shutters can also be effective in reducing the risk of a terrorist attack. These measures can help to prevent attackers from gaining entry to the premises or from causing significant damage if they do gain entry.
Cybersecurity: Finally, businesses would also need to ensure that they have appropriate cybersecurity measures in place to reduce the risk of a cyber-attack. This could include measures such as firewalls, antivirus software, and regular staff training on how to identify and prevent cyber-attacks.
It is important to note that the security measures that businesses implement should be proportionate to the level of risk identified in their risk assessment. The government has said that it will provide guidance to help businesses determine the appropriate security measures for their specific risks, which would cover topics such as access control, CCTV, screening, and physical security.
PART 4 Providing training and awareness-raising is a critical part of complying with the proposed Protect Duty law in the UK. Here are some additional details on what this process would involve:
Training for staff: Businesses would need to provide training for their staff on how to identify suspicious behavior and how to respond in the event of a terrorist attack. This could include training on topics such as evacuation procedures, first aid, and communication with emergency services. Staff should also be trained on the measures that the business has put in place to prevent a terrorist attack, such as access controls and CCTV.
Training for stakeholders: Businesses may also need to provide training for stakeholders such as suppliers, contractors, and visitors to their premises. This could include training on how to identify suspicious behaviour and how to respond in the event of an incident.
Awareness-raising: In addition to training, businesses would need to raise awareness among their staff and stakeholders of the threat posed by terrorism and the measures that the business has put in place to prevent a terrorist attack. This could include regular communication through staff newsletters, posters and leaflets in public areas, and briefings at staff meetings.
Testing and exercising: Finally, businesses would need to regularly test and exercise their counter-terrorism plan to ensure that it remains effective and up to date. This could involve carrying out simulated exercises to test the response of staff to a terrorist attack or testing the effectiveness of security measures such as CCTV and access controls.
It is important that businesses ensure that their training and awareness-raising is proportionate to the level of risk identified in their risk assessment. The government has said that it will provide guidance to help businesses develop their training and awareness-raising programmes, which would cover topics such as identifying suspicious behaviour, responding to a terrorist attack, and raising awareness among stakeholders ensure that their risk assessment, counter-terrorism plan, and security measures remain current.
PART 5 Reviewing and updating is a critical part of complying with the proposed Protect Duty law in the UK. Here are some additional details on what this process would involve:
Regular reviews: Businesses would need to regularly review their risk assessment, counter-terrorism plan, and security measures to ensure that they remain appropriate and effective. The frequency of these reviews would depend on the level of risk identified in the risk assessment and any changes to the threat level.
Updating the risk assessment: If there are any changes to the business's activities, location, or the threat level, the risk assessment would need to be updated accordingly. For example, if the business moves to a new location or expands its operations, the risk assessment would need to be updated to reflect any new risks.
Updating the counter-terrorism plan: If the risk assessment identifies any new risks or if there are any changes to the security measures in place, the counter-terrorism plan would need to be updated accordingly. This may involve revising evacuation procedures, updating contact details for emergency services, or revising the roles and responsibilities of staff.
Updating security measures: Businesses may also need to update their security measures if the risk assessment identifies any new risks. For example, if the business moves to a new location, it may need to install additional access controls or CCTV.
Monitoring and evaluation: Businesses would also need to monitor and evaluate the effectiveness of their risk assessment, counter-terrorism plan, and security measures. This could involve measuring the impact of any security measures that have been implemented, reviewing incident reports to identify areas for improvement, or carrying out staff surveys to gauge awareness and understanding of the counter-terrorism plan.
It is important that businesses are up-to-date and effective. The government has said that it will provide guidance to help businesses review and update their plans, which would cover topics such as frequency of reviews, updating the risk assessment, and monitoring and evaluation.
EXAMPLE here's a theoretical risk assessment for an average business:
Scope of the Assessment:
This risk assessment is focused on identifying the level of risk that our business faces from a potential terrorist attack. Our operations include a retail store located in a busy city center, an online e-commerce platform, and a warehouse located on the outskirts of the city. Our supply chain includes multiple suppliers from both domestic and international locations.
Risk Assessment Methodology:
To assess the level of risk from a potential terrorist attack, we will use a combination of qualitative and quantitative methods. The assessment will consider the following factors:
Threats: We will consider the current threat level and the likelihood of a terrorist attack on our business. We will use information provided by the government, law enforcement agencies, and other credible sources to inform our analysis.
Vulnerabilities: We will assess the vulnerabilities of our operations and premises, including physical security, access controls, and supply chain security. We will also consider any past incidents or threats that we have experienced.
Consequences: We will evaluate the potential consequences of a terrorist attack on our business, including loss of life, damage to property, and impact on our reputation and finances.
Risk Tolerance: We will consider our business's risk tolerance and any legal or regulatory requirements that we must comply with.
Risk Assessment Findings:
Physical Store: Our physical store is in a busy city centre, which makes it vulnerable to a terrorist attack. The store is located near other high-profile buildings, such as government offices, which increases the risk of a coordinated attack. The store has several access points, which may be difficult to control during an attack.
E-Commerce Platform: Our e-commerce platform is vulnerable to cyber-attacks, which could disrupt our business operations and potentially compromise customer data. A terrorist attack on our website could also damage our reputation and financial standing.
Warehouse: Our warehouse is located on the outskirts of the city, which reduces the risk of a terrorist attack. However, the warehouse contains valuable stock, which may make it a target for theft or sabotage.
Supply Chain: Our supply chain is vulnerable to attacks from terrorist organisations or criminals seeking to disrupt our operations. We rely on multiple suppliers, some of which are in:
Our Employees: Our staff queue to access lifts and entry points. The security process involves Identity checks.
Step 1: Identify Potential Risks
The first step in any risk assessment is to identify potential risks that could affect the business. This can include both internal and external risks. Some examples of potential risks for an average business might include:
Natural disasters such as floods, hurricanes, or earthquakes
Cybersecurity threats such as hacking or data breaches.
Physical security risks such as theft or vandalism
Employee safety risks such as accidents or injuries on the job
Financial risks such as fraud or embezzlement
Regulatory compliance risks such as failing to comply with industry standards or legal requirements.
Step 2: Evaluate the Likelihood and Impact of Each Risk
Once potential risks have been identified, the next step is to evaluate the likelihood and potential impact of each risk. This can be done using a risk matrix that considers both the likelihood and severity of each risk.
For example, a high-impact risk that is also highly likely to occur would be considered a top priority for mitigation, while a low-impact risk that is unlikely to occur may not require as much attention.
Step 3: Develop Risk Mitigation Strategies
Once the most significant risks have been identified and evaluated, the next step is to develop risk mitigation strategies to address each risk. This might include implementing security measures, developing emergency response plans, training employees on safety procedures, and implementing financial controls to prevent fraud.
Step 4: Monitor and Review Risks Regularly
Finally, it is important to monitor and review risks regularly to ensure that mitigation strategies remain effective and to identify any new risks that may arise. This can be done through regular risk assessments and audits, as well as ongoing monitoring of industry trends and regulatory changes.
By following these steps, businesses can identify potential risks, evaluate their likelihood and impact, develop risk mitigation strategies, and monitor and review risks regularly to ensure ongoing safety and security.
