Last reviewed 2 July 2021

The findings and recommendations of this report will have implications not only for security management but also for those with safety responsibilities in such environments, Mike Sopp finds.

In June 2021, volume 1 of the report of the public inquiry into the terrorist attack at Manchester Arena in May 2017 during the Ariana Grande concert was published.

With recommendations being linked to the proposed new legislative “Protect Duty”, those with responsibility for health and safety may find themselves on the front line in terms of meeting the proposed new duty.

Inquiry findings

The tragic events of May 2017 saw 22 innocent people lose their lives as a result of a terrorist attack at Manchester Arena. Many more suffered life-changing injuries. The public inquiry into this event has now published its report into the security aspects of this incident.

In conclusion, the Chair of the public inquiry found that the security arrangements at the Arena failed to prevent or minimise the impact of the attack. Although it was concluded that the assailant would still have detonated the device in the event of a “disruptive intervention”, there were missed opportunities that led to the failure.

Part 1 of the report examines further the events of the night and the missed opportunities, including inadequate security patrols, CCTV blind-spots, lack of police presence and not acting on concerns of a member of the public in relation to the attacker.

In addition to the immediate failings, the inquiry examined underlying aspects including the relationships between the various parties involved and responsibilities for security at the event.

The inquiry concluded that both SMG (the arena operator) and Showsec (the crowd control/event security contractor) had duties imposed on them by the UK health and safety regime.

The inquiry did not find that safety was deliberately compromised to save money “even on the balance of probability” but that, on the evidence heard, “SMG and Showsec did not take a number of necessary steps, some of which would have involved the spending of additional money in order to provide a sufficient level of protection against the terrorist threat”.

Key safety regime findings

The inquiry focused on a number of health and safety legislative requirements, which were:

  • core duties of employers under ss.2 and 3 of the Health and Safety at Work, etc Act 1974 (HSWA)

  • duties under s.33 of HSWA in relation to contravention of ss.2 and 3, as well as the Management of Health and Safety at Work Regulations 1999 (MHSWR)

  • regulation 3 of MHSWR in respect of the completion of a suitable and sufficient risk assessment

  • regulation 11 of MHSWR in respect of co-operation and co-ordination in shared workplaces.

The report looks at these requirements in detail, with the chair of the inquiry concluding that:

  • SMG’s approach to risk assessment as it related to terrorism was inadequate

  • Showsec’s general written risk assessment in relation to the threat from terrorism was inadequate

  • SMG and Showsec should each have taken into account the steps being taken by the other when conducting risk assessments

  • the necessary level of communication, co-ordination and co‑operation was not achieved.

Part 6 of the report then provides detailed evidence as to why these conclusions were reached. It highlights, among other factors:

  • neither organisation took account of the findings of a National Counter Terrorism Security Office (NaCTSO) assessment for the arena indicating its vulnerability and the fact that the UK terrorist threat level at the time was “severe”

  • neither organisation had reviewed its risk assessments, particularly in light of the growing person-borne improvised explosive device threat

  • there was limited engagement or taking into account advice from the Counter Terrorism Security Advisor from the local police service

  • the risk assessment process did not take into account the findings of a Security Risk Analysis

  • SMG’s event-specific risk assessment had descended into a tick-box exercise

  • there was limited co-operation and co-ordination between parties when conducting risk assessments.

The remainder of Part 6 then reflects on the counterterrorism measures and failings including training, licences, hostile reconnaissance response, CCTV monitoring, security perimeters, patrols, etc.

Key recommendations

In Part 8 of the report, recommendations are made under the heading of “guarding against complacency”. The conclusion drawn by the inquiry is that the parties involved had become complacent as to the threat of a terrorist attack.

In respect of risk assessing, the recommendations include that each venue and each specific event at the venue should have a risk assessment that takes into consideration the risk of a terrorist attack.

It continues by stating that “inadequate consideration of that risk may result in incorrectly identifying a low risk. This, in turn, may cause those responsible for security to be insufficiently alert. That is what occurred here”.

It further states that “the discipline of undertaking a risk assessment will assist in keeping the threat of terrorism at the forefront of the minds of those who prepare for the event”.

The report makes two significant recommendations associated with the above as follows.

  1. NaCTSO should consider the most appropriate methodology to complete a terrorist threat risk assessment and issue readily understandable guidance.

  2. The proposed Protect Duty being considered by the Government should include the need to assess the risks and most importantly put into action the necessary risk control measures.

The former recommendation is made as the inquiry had considerable reservations about the approach being used in connection with risk assessing the threat from terrorism.

The Protect Duty

In respect of the second point, the UK Government currently has an open consultation in relation to the proposed Protect Duty. The consultation aims to consider how to “use legislation to enhance the protection of publicly accessible locations across the UK from terrorist attacks and ensure organisational preparedness”.

A wide range of buildings could potentially be within scope, as the proposed threshold is any accessible public building which is capable of holding gatherings of more than 100 people and organisations employing more than 250 people that operate at publicly accessible places.

For public venues and large organisations within the scope the owners/operators would be required to:

  • use available information and guidance provided by the Government (including the police) to consider terrorist threats to the public and staff at locations they own or operate

  • assess the potential impact of these risks across their functions and estate, and through their systems and processes

  • consider and take forward “reasonably practicable” protective security and organisational preparedness measures.

The term reasonably practicable is familiar to safety practitioners but the consultation recognises that applying this concept to protective security may be “new for many venues and organisations”.

As such, supporting Government guidance would provide details of the range of appropriate measures for organisations within scope to consider.


  • The findings of the Manchester Arena inquiry clearly imply a link between effectively managing threats from terrorist attacks with an organisation’s wider duties under health and safety legislative requirements.

  • This reflects the approach already taken within official documents such as the CPNI publication Protecting Against Terrorism, which notes that “in the event of an incident, any subsequent inquiry or court proceeding will look for evidence that the relevant legislation was followed”.

  • Organisations need to consider the threat of terrorism and assess the risks, ensuring that the risk assessment is meeting the suitable and sufficient criteria.

  • General guidance on how to undertake this is available from many sources, not least the UK Government website.

  • With the proposed new Protect Duty likely to come into law sometime in 2021–22, organisations will need to consider whether they come into scope and, if so, where responsibility for meeting this duty will rest.

  • The health and safety practitioner should be the “custodian” of health and safety legislation, ensuring that an organisation will be doing all that is reasonably practicable to meet its legal obligations. Organisations will need to consider if the Protect Duty will also come under this function, or instead be the responsibility of the security function, etc.

Further information