Kizzy Augustine, Partner
Welcome everyone. I am Kizzy Augustine, I'm a partner and head of health, our health and safety practise at Mishcon de Reya. Joining me today is my fellow Mishcon partner Felicity Jones, who's the co-chair of our hotels group, and Guy Mathias, the former risk and security director and chair of the Cross-sector Safety and Security Communications group and passionate about all things counter-terrorism. Um, we're going to aim to guide you through at least the first 48 hours and beyond, uh, when an event operator or venue operator or building owner is caught unprepared under Martyn's Law. Now, for security reasons, you have joined this session automatically on mute and without your video on. If you've got any questions, um, you can use the Q&A function at the bottom of your screen, and if you have any technical issues during this event, please feel free to let one of us know using the Q&A function again, and one of us will help you. So straight in to the nightmare scenario. Here is our venue or event operator. There is a queue outside, the doors are opening in 20 minutes, and then a member of staff rushes over, there's a regulator who's turned up unannounced.
The venue is now deemed in scope of the Terrorism Protection of Premises Act 2025, Martyn's Law to, to you and I. What the operator, uh, knows is the security plan is incomplete, the team hasn't been trained, procedures don't seem to meet statutory duties. What now? I think the first question that comes up for, for most operators would be, do they stop the event? Do they close the venue? Do they engage with the regulator? And what sort of response is needed? What do we mean by a proportionate or reasonable response? What is it the operators and building owners need to know? So just for the sake of, of clarity, I just wanted to touch for a minute or so on what the law says. And the law mandates publicly accessible venues and events to prepare for and reduce the risk of terrorist attacks. This is the point of Martyn's Law, and it's using a tiered legal security standard. For those of you who are aware of this, I hope you understand the difference between smaller and larger venues and what comes into scope? So again, in summary, smaller premises where you've got 200, uh, to 799 individuals potentially being present, they'll be in that standard tier.
The requirements are centred on simple, low-cost activities designed to ensure that those that work at those premises or events, um, are better able to reduce harm and save lives in the event of an attack. Things like locking doors, closing shutters, and identifying safe routes to cover. Persons responsible in those standard tiers are required to notify the regulator, the Security Industry Authority, SIA, and have in place, have in place, so far as is reasonably practicable, appropriate public protection procedures. Larger premises and qualifying public events, like in our scenario today, that's where you've got 800 or more individuals, uh, might be present, they're in an enhanced tier. So in addition to what you have to do in the standard tier, you've got to have further requirements, putting in place, uh, appropriate public protection appropriate measures to reduce vulnerability, uh, appropriate measures to enhance, uh, things like bag searches, CCTV, and other monitoring and vehicle checks. Again, quite onerous to deal with, and we can go into a bit of that detail once I speak to my, my guests. For all premises and events, and events like this scenario, everything is subject to this concept of reasonable practicability. It's a concept that's found in health and safety, fire safety, and to determine what we mean by reasonably practicable, the person that is responsible needs to take account of all particular circumstances, including the nature of the premises, the activities being performed, and resources available to them.
So when I'm speaking to our operator, I'm generally going to speak to an individual who is identified as the responsible person, those who control qualifying premises and if they don't take control of these duties, they're committing an offence for which they are failing without reasonable excuse to comply with their obligations. Those have civil penalties, but also criminal penalties, uh, that can be imposed by the regulator. So that individual needs to know what their obligations are and how they mitigate risk for themselves and for their organisation. They'll be specifically named and personally accountable. So we're going to get into this because this is really important to understand. These are new statutory duties. Our operator isn't prepared for this. You have a designated senior individual who is personally exposed from day one so having a discussion around this in the first 24 hours is key. We need to think about genuine engagement. We need to think about risk assessment, security measures, and these consequences for non-compliance. Guy, I'm going to bring you in here. Our operator is in operational panic, they're not ready for this. What do we do from a, a kind of consultant perspective? What would you be advising our venue operator?
Guy Mathias, Director of Risk & Operations
Suntory and Chair of the CSSC
Well, thank you, Kizzy. I am delighted to be joining everyone today. Um, yeah, the op panic. Um, well, it's often the stage where organisations will in reality probably first confront the reality of Martyn's Law and probably realise that they're just not as prepared as perhaps they had assumed or had been told that they were prepared. So the immediate reaction generally is, we're just not ready to do this, uh, and I think whilst we've talked about, there may be an awareness of this legislation that's now been around for a number of years in terms of, uh, narrative. Uh, there isn't really no, or on a frequent basis, no clear internal owner responsible for either seeking to implement or indeed to oversee the compliance with this law, uh, and generally, therefore, as a result, that then leads to uncertainty and that will spread throughout the organisation. So the purpose of today is to try and point this out, but also to give some practical advice for the phases that go through from operational panic through to the system itself. Um, but in an op panic situation, leadership teams generally begin to demand and scramble around for answers. Executive boards often want to understand what the exposure is, what requirement is there from an action perspective. And generally, certainly from my experience, general counsel teams try to interpret those legal obligations, uh, map them into the existing policies and risk frameworks that have been put in place.
However, the challenge, of course, is that often, and that's what we're trying to flag today, are your frontline staff trained? Because generally, and often in a situation that is in operational panic, sadly, they prove sometimes untrained. They sometimes are unaware of the requirements and very generally unclear about their role, either personally or as a team, in responding to a Martyn's Law incident and perhaps in terms specifically in terms of a terrorist threat. So the key challenge is that most organisations don't have any established governance structure for terrorism-related compliance, whereas you rightly pointed out in your introduction, those aspects are very clearly defined around health and safety, around data protection, or indeed financial and regulatory controls. But often from a security risk and resilience perspective, there is very rarely a mature framework is already in place and I think this creates the gaps we are talking about today around accountability, reporting, and decision-making. And that then will lead to confusion about who is responsible, uh, I think security teams may view it as operational issue. Guess what? Operations teams may see it as a facilities matter and I've rightly pointed out earlier, legal teams are focusing on what their compliance obligations are. So in terms of trying to concentrate on the physical environment, the facilities and security teams need to be aware of what they're doing. And we've said already, without clear ownership, organisational risk delays, duplicated effort, and inconsistent approaches will plague this situation. So very much in short, it's the moment in terms of operational panic when organisations move from an awareness to reality, discovering that perhaps their compliance with Martyn's Law requires new governance, clear accountability, trained staff, and coordinated action across those multiple functions. So that's where I would steer people to put provision in place to address the bits that I've just been speaking about.
Kizzy Augustine, Partner
I think, I think you're right. I mean, it also understanding, does our event come into scope? I mean, this is where the nightmare, this is where the nightmare starts.
Guy Mathias, Director of Risk & Operations
Suntory and Chair of the CSSC
Yeah.
Kizzy Augustine, Partner
You know, you may anticipate it doesn't come into scope. Our event holds at least 800 people, you know, including staff. They forget it's not just about the people that attend, it's staff, it's volunteers, it's performers, it's contractors, etcetera. In, in the, you know, in an industry perspective, and I think talking from hotels and events and hospitality sector, there've been lots of trade bodies who are putting together specific guidance as well as having the statutory guidance, uh, brought out by the SIA and the Home Office guidance. Felicity, in, in your perspective, from a commercial standpoint, what are those shockwaves? What is it that's really now starting to worry, or should start to worry, the hospitality sector?
Felicity Jones, Partner
Well, I come from the background of being a hotel's, a corporate lawyer, corporate and commercial, sitting with real estate because that's the nature of the asset. So initially my view is, is usually from an owner's point of view. Um, it will affect the brands as well, but where an owner has employed a manager who manages their staff, but the staff are still the owners, there is a big concern about where the liability will sit.
Kizzy Augustine, Partner
Mm.
Felicity Jones, Partner
Generally, the operator or manager will, will be responsible for supervising and directing the staff, but in many cases it's not even in the jurisdiction, so there will be possibly a, a mismatch between the owner thinking they're safe because the operator should have been dealing with all this, and the operator then saying, but it is a business risk and largely the owner's risk, we instructed the general manager to make sure that this was covered. We've done our piece as regards compliance. So then, then there will be a tension. In the best scenario, with the best brands, they will be working together. But the main thing, of course, is there's a reputational risk to the venue, to the brand, possibly to the owner and the site.
Kizzy Augustine, Partner
Yeah.
Felicity Jones, Partner
It depends on the nature and how it's reported of the event that happens. So getting, um, following Guy's, Guy’s advice to get your facilities and security working together and somebody who oversees the top of it and takes that responsibility, is vital. And also, as part of your processes, I would have thought advising your bank, advising their insurers, advising all those you need to when it happens, so that you don't end up with your commercial conflicts as well as your very real legal conflict.
Kizzy Augustine, Partner
And that's quite important because, I mean, all those things that you spoke about, uh, you know, understanding the commerciality around it, understanding liability and who should be asking the questions, who should be answering those questions, the reputational impact of getting this wrong. You know, those decisions on how to progress, do we shut, do we engage with the regulator, all of those decisions almost should come from somewhere. They're not something that should just be considered when the regulator turns up.
Felicity Jones, Partner
Well returning all your, returning all your money to the rejected guests will be something you hope will be covered by insurance, so it's a very real, um, commercial impact.
Kizzy Augustine, Partner
Yeah, I think the nightmare, I mean, the nightmare itself doesn't end there because you move on to, you know, past the first 24 hours and you've made that decision. You're either going to go ahead and you're going to do this by engaging with the regulator and others, or you're going to shut and get your house in order. I think you can't make that decision unless that's documented somehow, you've justified how you've made that decision. One easy way of doing that is having an incident response protocol in place. Um, you know, days kind of, what, 2 to 7, you should be looking at what procedures do we have in place. Are we, you know, in a position to defend any sort from a regulator, even if it isn't the SIA, there are other regulators who might be, uh, interested in the procedures and preparedness that we have in place. So recording that, even if you don't have the most perfect steps in place, making sure that you're evidencing your, um, demonstration of good practise and good engagement. I think the SIA has taken a view that they're going to be supportive for now during the implementation period, now that this act is enforced, but it doesn't mean enforcement won't follow, um, if there is a failure to engage. So you some sort of plan. Our operator needs to have compliance at the forefront of their mind. That's things like risk assessments, documenting action points, and identifying gaps, really, what that could trigger enforcement. Guy, proverbial question: what does a perfect terrorism risk assessment look like?
Guy Mathias, Director of Risk & Operations
Suntory and Chair of the CSSC
Um, well, I think there's a, a real misconception, uh, throughout the narrative of Martyn's Law that any sort of terrorism risk assessment should necessarily begin with external consultants. There's a place for that, and we would certainly be very help willing to help out with that but in reality, many organisations, I think, can take those meaningful first steps that you've just alluded to and make that an in-house perspective. But the key requirement is that the assessment is both documented, but also that it is supported by a very clear governance process and that's the dull, that's the somewhat tedious aspect but you have to have that in play to underpin what it is you seek to put in place. Um, so very much the priority is around creating a structure for that risk assessment and making sure that there is suitable accountability. Um, you can start that with a temporary governance group that can coordinate the activity across the organisation that you're involved in, but I think it will help to drive perhaps early decision-making, um, around what you're seeking to do. I think that responsibility for the compliance piece very clearly needs to be assigned in a very clear manner, uh, because if you don't have a designated owner, I think there's a very clear risk that important actions, uh, will fall between the various stakeholder groups that we mentioned previously. It could be security operations, estates, legal facilities teams. Um, it's a good time now, if you're not already doing it as an organisation, that in conjunction with writing the policy, writing the assessment, you are doing some form of staff awareness training. And there are plenty of great free-to-air vehicles that you can do with that, or bring in somebody to provide that. But all employees and all stakeholders really do need to understand the basis of what is recognising threat, that's to them personally and their part in the institution or the organisation? How do they notice and/or report concerns? And importantly, how do they respond appropriately and to function during an incident? So organisations should certainly be reviewing existing physical security measures, understanding what their current arrangements look like. Where are the gaps? Can you identify the gaps? Because it's always the things that you haven't thought of that will catch you out. And determining whether those existing controls remain appropriate for the risks faced. So I think…
Kizzy Augustine, Partner
Being adaptive, being adaptive to…
Guy Mathias, Director of Risk & Operations
Suntory and Chair of the CSSC
Being adaptive, being agile, I think, as well, Kizzy.
Kizzy Augustine, Partner
Yeah.
Guy Mathias, Director of Risk & Operations
Suntory and Chair of the CSSC
Yeah, no absolutely. Uh, and I just think the overall message that I would be saying is that they, that all organisations, you, we don't need to have every answer immediately. You made that clear in your introduction and I think what matters is seeking to demonstrate a structured approach, documenting the risk assessment, and hopefully you should have some form of risk assessment already in place, that’s adaptability again, making sure the governance process is through. Who is taking ownership? Who and where does the buck stop? What is the staff awareness and what are your immediate responsive practical security and risk measures?
Kizzy Augustine, Partner
I think that's a good, a good answer actually to a question that we've had, um, talking about smaller sort of voluntary organisations that might hold an event that has plus, you know, 800+ people potentially attending. Um, I think looking at this from a risk assessment perspective, it's doing what's reasonable so understanding that cost-benefit analysis and doing what is reasonably practicable in the circumstances for that organisation should be key. And looking at risk assessments, looking at documents, looking at maybe getting advice from, uh, consultants who are very familiar with that type of organisation would be key as a first step. You know, even looking at this from an industry perspective, Felicity, there is this push-pull between what contractually you have in place versus what from a regulatory perspective you need to do to meet compliance standards. Does that exist in the hotel sector?
Felicity Jones, Partner
Well, you will find there are many long-standing management agreements and franchises, and very long-term ones being entered into today where there is a general compliance obligation. But if, if it isn't carefully reviewed, the operator will say that they operate in compliance. What you want to know is that the venue they're operating is in compliance. So there's the two levels there.
Kizzy Augustine, Partner
Mm.
Felicity Jones, Partner
When and if there is a problem, you want to be able to look at training and policies. Um, and the good brands will be on top of this with their training and policies, because many owners will say, this is why we take a brand, why we take a manager but they also need to know that the actual, the liability or the costs will probably flow through as an operating expense, which means the majority of it is owner's cost.
Kizzy Augustine, Partner
Mm hmm.
Felicity Jones, Partner
The risk of these businesses ultimately sits with the owner. And there will be operational insurances and property insurances, and I think you've got to have a good relationship with your insurer and have the discussion with them so that they are comfortable with your risk assessments too. Um, and really, it, there'll be monthly meetings to go through figures. There almost ought to be an addendum which covers some of the compliance issues, so the owners can be comfortable as well. They, they know who's going to call them when there's a problem at their venue so.
Kizzy Augustine, Partner
So it's being informed, just keeping informed…
Felicity Jones, Partner
Yes absolutely.
Kizzy Augustine, Partner
…and having oversight over what's going on, maybe closer to the ground.
Felicity Jones, Partner
Ideally not being the person that takes responsibility because they're not on the ground with the facilities and securities. You should be probably looking at a general manager or the manager of the venue but certainly making sure the owner knows, um, and the operator knows, and so everybody can work together and hopefully that will help reduce the debates between them, the brand wanting to claim because it feels its brand's been damaged as a result of the owner's team at the hotel or venue not being sufficiently trained, and then the owner will say, well, the training was, was your obligation. So it is making sure that people work together, coming back to Guy's point, the more people work together, the more there is a satisfactory solution.
Kizzy Augustine, Partner
And also just understanding and having a better awareness of, of what is expected of you, even if you feel so far removed from the actual operation, there may be an expectation from a leadership perspective that you will, uh, take charge, you'll lead the charge in terms of compliance, even if it is you're not doing the compliance actions, but you are dictating that these things should happen. And I think you mustn't forget about the personal liability and how far the regulators can actually push this up. They are looking at personal accountability now, you know, recent events have dictated that. So we're looking at the risks to our directors, our senior managers, our leaders or leadership teams, and how we can mitigate the risk to them, you know, this is a real-life risk. I'm hoping that the understanding from our operator's point of view is that this is not a quick fix that deals with the first week after the regulator turns up. This is really about structural change and giving yourself an opportunity as an operator, as our nightmare scenario suggests, giving ourselves a chance to be compliant within a period of time in a manageable way. Um, so we're moving away from the kind of crisis management for that first week to the next 3 months and looking at structural change. So I think that's more about having a full terrorism protection plan in place, particularly for those enhanced tiers, or, you know, our festivals and, and big events that we're talking about, and making sure that's proportionate, you know, it's documented, it's reviewed, and it's capable of being produced to the SIA, um, as and when they request it. I mean, you both mentioned training, making sure that's ongoing, a one-off exercise isn't going, isn’t going to wash here. Um, and looking ahead to the potential inspections and enforcement, we're not there yet, you know, the SIA possibly don't have the resource to be able to do that, but the real-life possibility of another unannounced inspection is a real one, you know, so looking at change and compliance being continuous and not a one-off fix from a government. Oh, go on, sorry.
Felicity Jones, Partner
As you said earlier, you know, looking after your staff in your venue, it's looking at it as an employer, and the owner is the employer often, not the manager.
Kizzy Augustine, Partner
Not the manager.
Felicity Jones, Partner
So there are questions to be asked to ensure that your staff are being looked after properly, because it's protection of the public, but it's protection of your teams.
Kizzy Augustine, Partner
Your people as well.
Felicity Jones, Partner
It's not just training and what you expect of them, but it's putting them in the safest position possible.
Kizzy Augustine, Partner
That's a very good way of demonstrating good governance, and, and just briefly, I mean, I will ask you both just a kind of final question around governance and commerciality when it comes to structural change. Guy, just briefly, what, what is it that operators need to look at to demonstrate good governance and good integration with their ongoing continuity planning?
Guy Mathias, Director of Risk & Operations
Suntory and Chair of the CSSC
I think it's ensuring that they recognise that fact and that it's not down to good practise or proverbial tick boxes. We've talked about SIA. It's going to be scrutinised at some stage by the SIA. At some stage, resources should be made available from the Home Office to engender this. But it can't sit in isolation. It's got to be part of the wider resilience framework that an organisation has, which is then linked to those incident responses, the crisis management. Don't forget recovery planning. What happens if you have an incident? What happens after? Where's that hot debrief? So clear reporting lines, make sure the responsibility for terrorism preparedness, uh, is embedded within the existing governance arrangements rather than deemed to be temporary. Uh, put a senior individual into this, even if they are the, the project leader or the overseer for this, because it's important to drive this forward and it's making sure that that accountability is recognised at a senior level so that the oversight is both visible and effective. Um, put it into the crisis management and business continuity processes and make sure that they are tested. Uh, we talked about one exercise. This needs to be a regular piece of scenario planning by either exercising the plans, challenging the assumptions, and learning from those test plans, those desktop exercises, as to what goes on when something goes wrong, and that you have a credible, proactive, and resilient approach that's prepared for any potential threats, not just Martyn's Law, but for everything you deal with. But in the concept of today, we're very much working around that Martyn's Law, because I think, sorry, Kizzy, just in a real-world incident, the question is never simply, oh, did you have a policy? It's often in reality, were you genuinely and proportionately ready?
Kizzy Augustine, Partner
It's about anticipation but also mitigation of ongoing risks, I think.
Guy Mathias, Director of Risk & Operations
Suntory and Chair of the CSSC
Absolutely.
Kizzy Augustine, Partner
And the final word with you, Felicity. I can talk all day long about the, the kind of criminal implications for getting this wrong and not being prepared and prosecutions and being given kind of fairly lengthy implementation period, but from a commercial aspect, what is the worst that can happen if this goes wrong and there's non-compliance?
Felicity Jones, Partner
The difficulty here is I feel like the villain of the piece because I'm talking about…
Kizzy Augustine, Partner
You're not, you're not.
Felicity Jones, Partner
This came from such tragic consequences that what we should be doing is looking primarily at protection of guests, staff, and people, including the person who has to take the responsibility at the venue at the time. But also sitting behind that, it's making sure that operators are protecting the venue, protecting the owner, and the owner is similarly working with the operator so that they're both making the best of this rather than putting them in a position where there's tension between them. And of course, nobody wants reputational risk or the insurers turning around and saying, um, we're not covering you for this. So commercially, it's devastating too.
Kizzy Augustine, Partner
It seems like it is, it is a nightmare all round but I'm hoping by the end of today's session, which we are, we're at, at the moment, people on this call can see that our operator has been able to deal with that with the right advice, but they needed to act fast. You know, the nightmare is survivable, um, but this is the regulatory reality. You've got a regulator who has suggested a collaborative approach during this implementation period, which I think takes us to sort of end of 2027. But that window for the collaborative approach is really small and finite, so our operator has to engage early, document steps, and demonstrate proportionality in their actions to be in a fundamentally stronger position than those who wait for something to happen. So the message to all of you on this call is simple. Do not wait for the enforcement agencies to motivate your compliance. Your immediate reaction really will determine regulatory exposure, and the first few days, in fact first few hours, determine operational stability, but it's really the longer term that determines whether or not your business, your organisation becomes resilient and remains, or remains vulnerable. That personal liability for designated senior individuals is key. Um, we need to understand that combined with the reputational risk and commercial consequences of a compliance failure. So early sustainable action is the only sensible response, and you can do that with the right legal and practical support.
Um, I hope that's been helpful. It's kind of a whistle-stop tour through a, a technical nightmare scenario. It doesn't have to be a nightmare if you have the right support and awareness abilities in place. Really good to have you here. Do reach out if you have any further questions to any one of us on the call.