Protect Duty: Health and safety and security management
Health and safety and security management share many key elements. Their main priorities are keeping people safe and allowing organisations to keep functioning. Both disciplines are legally based, so occupational safety and health (OSH) professionals and security professionals need to keep up to date with upcoming legislation.
This month, the government has introduced Protect Duty. This legislation, and the changes it brings, will enhance the protection of the UK’s publicly accessible places from terrorist attacks and ensure that businesses and organisations are prepared to deal with incidents.
The approach the government has taken has raised interest within the OSH community, mainly due to the requirement for organisations to undertake a risk assessment. This is to assess the risks posed to them by terrorist activities, based upon either information about terrorist attacks available through freely accessible government websites – the Centre for the Protection of National Infrastructure (CPNI) and the National Counter Terrorism Security Office (NaCTSO) for smaller or local event organisers, or by other means for larger organisations.
Legal context is important here. The proposed new duty is not criminal law such as health and safety law, where non-compliance can result in prosecution and a criminal record for those found to be culpable. This places an important limit on the legal liabilities of those with duties under this law. The proposal is for a new offence for non-complaint organisations based on civil sanctions such as fines. That is not, however, the same as Common Law where the employer is liable by default for the actions of employees. It is quite possible, but not entirely clear from this document, that individuals could be vulnerable to being fined.
Application of the legislation
The document discusses who the proposed legislation should apply to. There are three main areas (but it may also apply to other locations, parties and processes by exception):
- public venues (eg entertainment and sports venues, tourist attractions, shopping centres)
- large organisations (eg retail or entertainment chains)
- public spaces (eg public parks, beaches, thoroughfares, bridges, town/city squares and pedestrianised areas).
From an Institution of Occupational Safety and Health (IOSH) perspective, any organisation that is public-facing should consider the risks of terrorism to the safety of their workers and members of the public using their facilities.
Requirements of the legislation
The general requirement of the legislation is that applicable organisations must assess the risks posed by terrorist threats to workers and members of the public.
Risk assessments are a time-tested technique used by organisations not only to manage OSH risks but also for general business risks as well. The consultation does not specify how the legislation, or its supporting guidance, will require the risk assessment to be carried out, but a good technique used by OSH professionals is below.
- What is the hazard? (Hazard identification).
- Who can be harmed and how?
- What current control measures are in place? (Risk control and mitigation).
- What is the likelihood of the hazard being realised and the consequence of harm? (Risk prioritisation).
- What additional control measures are required to eliminate or further mitigate the risk? (Risk control, mitigation and resilience – risk treatment).
- Is the remaining risk after controls acceptable? (Residual risk).
This is where some of the terminology changes from OSH to security. Generally, OSH professionals use the term ‘hazard’ as something with the potential to cause harm. In the Protect Duty legislation, ‘threat’ is used, which is more akin to terms used in business risk assessments. The same applies to ‘risk control’, which tends to be an OSH term, while business risk assessments use ‘mitigation’. However, these terms are fairly interchangeable, and the above technique can still be used.
Like OSH hazards, the threats need to be fully understood to properly assess the risk. The legislation talks about threat and risk.
Key initial steps are understanding threat and risk.
• Understanding the terrorist threat – noting that terrorist groups, their motivations and target preferences and attack methodologies can differ and tend to change over time.
o A useful level of awareness can be achieved by following open source media reporting of recent attacks and their methodologies, understanding and monitoring the National Threat Level, and browsing relevant government websites.
• Understanding the specific risks the threat poses for your site and/or organisation – how and why your site/organisation might be affected, either by being targeted directly or through indirect impacts, due to its location in a particular area or because of its proximity to neighbouring sites, businesses, or organisations that may be targeted.
o You should undertake a risk assessment to identify and record terrorism risks and appropriate mitigations. This should be aligned with your organisation’s/site’s wider assessment of risks and their management.
One of the unknowns with the key initial steps in the legislation is which methodology organisations should use to assess their risks from terrorist activities. Is it purely going to be via a qualitative risk assessment process using an indicative matrix, or using a semi-quantitative or even quantitative methodology?
Due to the subjective nature of threats from terrorist activities, it is likely that a qualitative approach will be adequate to properly assess the risks to the organisation, its workers and members of the public. Risks assessed as green within the matrix will be considered low risk to workers and members of the public, while amber and red-rated risks will need more controls or mitigations added to reduce the risk to tolerable levels.
From an OSH perspective, this risk assessment could link into the suite of assessments that an organisation needs to evidence to show that it is managing all its risks properly. It is likely many public-facing organisations will already have considered terrorist threats within their OSH workplace risk assessments. The introduction of this legislation may mean that organisations may split this from their OSH risk assessments into separate documents, which may or may not have an effect on the detail of the information presented.
Again, like OSH risk assessments, this legislation talks about implementing mitigations to unacceptable risks. However, there is no evidence that it takes into account what an organisation’s risk tolerance would be to a terrorist attack.
Expressed in quantitative terms that can be monitored, risk tolerance is often communicated as acceptable or unacceptable outcomes or as limited levels of risk. Risk tolerance statements identify the specific minimum and maximum levels of risk that the organisation is willing to accept. The range of deviation within the expressed boundaries would be bearable. Exceeding the organisation’s established risk tolerance level may endanger its overall strategy and objectives. This can be due to the consequences in terms of cost, disruption to objectives or in reputational impact.
What risk would an organisation tolerate in the case of a terrorist attack? It could be self-explanatory that no organisation would tolerate harm or loss of life to workers or members of the public, but what about loss of buildings or other assets?
Controls or mitigations are a normal part of any risk assessment. The Protect Duty discusses mitigations such as physical security measures including CCTV, security doors, fences electronic access and intruder detection systems, and ‘people’ measures such as training and awareness, eg ACT Awareness e-Learning (Action Counters Terrorism). It also talks about developing cultural controls, encouraging and enabling a security culture in the workplace, eg ensuring that any concerns can be easily reported and will be acted upon and that managers lead by example and avoid giving mixed messages.
Security professionals should be aware when looking to implement mitigations within their risk assessments to be considerate of what OSH professionals call ‘the Hierarchy of Control’. This looks at implementing controls that are most effective first and only looking at controls at the lower end when higher-level options are not feasible. Professionals should look at controls needed during preparation, execution and recovery of a terrorist event.
It is also important to ensure that any security measures/plans don’t conflict with OSH requirements, including fire controls. The Bradford City Football Club fire in 1985 was an example of how security controls impacted on the health and safety of members of the public. The stand was ill-equipped to cope with an emergency – six fire exits at the back of the stand were found to have been locked, with seven forced or found to be open by supporters fleeing the fire.
This piece of legislation does not introduce new concepts for keeping workers and members of the public safe but leans on existing methodologies in different fields, such as OSH, to utilise regarding other risks to an organisation, such as the Protect Duty will cover with terrorism. How this legislation will work in practice is still debatable, but it is definitely something that security professionals will need to consider.
Written by Michael Edwards CMIOSH, Institution of Occupational Safety and Health (IOSH).