Last reviewed 17 November 2020

Following a number of incidents on the European mainland, the UK terrorist threat level has once again been raised to severe, meaning an attack is “highly likely”. Mike Sopp examines the actions an organisation should take when a terror threat escalation occurs.


Since 2017, there have been 11 terrorist incidents in mainland UK.

At the moment, the threat level is severe, meaning an attack is “highly likely”. On a number of occasions, this has even been raised to critical, meaning an attack is “highly likely in the near future”.

For those with responsibility for security, the changes in threat level raises the question as to what action, if any, an organisation can or should take when a threat escalation occurs.

Threat and response levels

According to the National Counter Terrorism Security Office (NaCTSO), terrorism threat levels are designed to give a broad indication of the likelihood of a terrorist attack based on current intelligence, recent events and what is known about terrorist intentions and capabilities. Currently the UK is at severe, meaning an attack is highly likely but on occasion this has been raised to critical, meaning an attack is expected imminently.

In conjunction with these levels, NaCTSO has developed response levels that “provide a general indication of the protective security measures that should be applied at any particular time”. These relate to the threat levels as follows.

  • Severe: heightened response level — additional and sustainable protective security measures reflecting the broad nature of the threat combined with specific business and geographical vulnerabilities and judgments on acceptable risk.

  • Critical: exceptional response level — maximum protective security. Critical measures to meet specific threats and to minimise vulnerability and risk.

The above suggests that when a change in threat level occurs, those with responsibility for security need to consider what action to take. Indeed, NaCTSO guidance states that “as a consequence of the change in threat level it is recommended that those responsible for security review their plans and operations”.

Although this guidance is aimed at areas where large crowds may be found, it can be argued that the same principle should be applied to all organisations to ensure they are doing all that is reasonably practicable to protect staff and assets.

Physical measures

As part of an overall security management system the organisation should have completed an assessment of the security threats and analysed the risk from those threats. This should have resulted in appropriate security measures being identified and implemented commensurate with the risk and/or the organisations “risk appetite”.

Clearly, with any change in the threat scenario, consideration should be given as to whether there is a need to introduce additional security measures if the risks are deemed to have altered. In simple terms, the organisation should be asking whether the increased threat level equates to a need to increase the security measures already being taken. Factors that may influence this include:

  • any activities being undertaken during the raised threat level period above “business as usual” that could create increased risks (eg events that may increase public access or media attention or that are contentious)

  • geographical location of buildings and potential for an increased local threat and/or intelligence from local police/security services suggesting an increased local risk exists

  • whether current security measures are reducing risks to the tolerable level (ie was the original risk appetite set correctly or were inadequate resources/measures allocated to reduce the identified risk)?

Another factor in the current climate is the impact of the Covid-19 pandemic and how this will influence any additional security measures that may be required. Not only will Covid-secure guidelines need to be adhered to in respect of any changes made, implementing Covid-secure measures may themselves affect your security profile.

Elements of this work can be completed prior to a threat escalation to ensure a framework for responding can be developed. As NaCTSO notes, all protective security measures should be identified in advance of any change in threat and response levels and should be clearly notified to those staff that would be responsible for ensuring their implementation.

Clearly, in terms of physical measures to take as an escalation, this will be organisation specific but in general terms measures are likely to be procedural, cost-effective measures that can be implemented with all due expediency and could include:

  • increased security patrols in high-visibility clothing (at irregular times) of grounds and premises

  • reducing the number of access and egress points to the grounds and premises, for example, by changing electronic access control permissions

  • increased or changed searching/screening procedures for personnel, vehicles and deliveries entering the site

  • prohibition or cancellation of certain activities such as open public access events where large crowds of unknown persons could gather

  • increased housekeeping to reduce the opportunity for devices to be hidden

  • more robust enforcement of current security arrangements such as the wearing of identification badges and visitor signing-in procedures

  • review and exercising of emergency response, evacuation, lock-down and business continuity planning

  • ensuring there are additional staff available to implement any escalation measures.

Staff communication and vigilance

During any security threat escalation period, staff members may be concerned for their own safety and wellbeing, particularly if they are in a geographic area where recent terrorist incidents have occurred.

Good communication with staff members is essential not only to make them aware that their safety and security is being considered but also to make them aware of any increase in security measures that are being implemented.

It is common for organisations to utilise an internal visual system that indicates a buildings/organisations current security response level. Where such a system exists, staff members should be made aware of the increased responses in a sensible way that does not cause excessive alarm.

Pre-scripted messages may assist in this (approved by senior managers) that explain the measures and why they are being implemented. In addition, it is important that staff members are reminded of their roles and responsibilities (eg during a lock-down procedure) and where they can find additional information where required.

Staff vigilance is essential as they are very much the “eyes and ears” of the organisation. NaCTSO recommends increasing staff vigilance during an escalation situation. This can be through normal briefing sessions and messages or by additional briefings specifically aimed at vigilance requirements. Key factors to consider are how to:

  • recognise suspicious behaviour/hostile surveillance

  • report any concerns (eg person not wearing identification)

  • respond to any suspicious persons (eg the safe challenge approach)

  • respond to suspicious items

  • implement escalated security measures such as visitor control.

NaCTSO states that it needs to be emphasised that reports will be taken seriously and investigated and where possible showcase where previous staff reporting has led to positive outcomes as this helps to promote confidence in reporting.

It should be borne in mind that contractors with a permanent presence on site will need to be made aware of the escalation procedures so that business is not subject to unnecessary interruption due to escalation measures being adopted.


For those with responsibility for security, good planning to anticipate the potential for escalation in security threats will mean the organisation is prepared for such an eventuality. In particular the organisation should:

  • ensure a security threat/risk assessment has been completed that so far as possible takes account of any potential increased security threat

  • develop cost-effective additional security response measures that can be easily adopted/implemented in the event of an escalation

  • ensure that on the UK security threat level being escalated, the situation is reviewed and the necessary additional measures implemented as necessary

  • ensure all staff members (including contractors) are informed of the increased measures in a cogent and clear manner with all due expediency

  • ensure all staff (including contractors) are given the necessary instruction and information on vigilance procedures

  • keep the escalation procedures under review to ensure they reflect any changes in organisational arrangements.

Further information