In Think like a Freak: Secrets of the Rogue Economist, the follow-up to their celebrated book Freakonomics, the American authors Steven D Levitt and Stephen J Lubner credit the psychologist Gary Klein with the idea of a ‘premortem’. Whereas a postmortem is conducting an inquiry after something has happened, ‘a premortem tries to find out what might go wrong before it’s too late’, things that might be known about a project, but ‘that no one had been willing to speak aloud’. Mark Rowe offers three topics under the proposed Protect Duty, ahead of the ‘pre-legislative scrutiny‘ of the Terrorism (Protection of Premises) Draft Bill by the Home Affairs Select Committee of MPs, which begins hearing evidence on Tuesday.
The three are: cost, compliance, and the potential regulator’s accountability.
Cost
Explanatory notes published alongside the draft Bill – which would place a legal responsibility on hundreds of thousands of venues and buildings such as nightclubs and places of worship to secure against terrorism – do not cost up the Duty. The only clue given is under the cost to Government’s own buildings; that to meet the lower, smaller, ‘standard’ tier of site or venue would be £2000 per site, over ten years; and for the ‘enhanced’ tier of venues holding 800 or more, £80,000. The notes do not give numbers of sites of retail, hospitality, places of worship and so on, even though the Home Office does have such totals. Now why would the Home Office not make those public? Presumably because it wants to deny to any scrutineer the ability to come up with a total cost to the UK to comply with the Duty, which presumably would run into the billions and would cause an outcry from businesses.
As for the as yet unspecified regulator of the Duty – the June print edition of Professional Security Magazine has speculated that it might be the signficantly recently renamed NPSA (National Protective Security Authority, the former CPNI, Centre for the Protection of National Infrastructure) – the notes do estimate the cost of set-up to the Government ‘to be between £89 million to £178 million with a central estimate of £130 million (2022 prices). This cost is based on the assumption that the regulator will be a new arms’ length body’. As with the Security Industry Authority 20 years ago, Government paid (although ultimately we all paid, in taxes) for the set-up of the SIA, then it has had to pay its own way, mainly through charging for licence fee applications and the approved contractor scheme.
A Protect Duty regulator would pay for itself through fines, or in legal jargon ‘monetary penalties’. The notes state: “For standard duty premises, the regulator will have the power to issue a fixed penalty up to a maximum of £10,000. And for enhanced duty premises and qualifying public events, the regulator will be able to issue a maximum fixed penalty of the higher of £18m or 5pc of worldwide revenue.” The regulator’s inspectors, then, would become the building security equivalent of parking wardens, and as detested. How amenable would that make site owners to security spending?
Compliance
Not wanting to fall foul of inspectors would drive sites’ urge to comply – to a bare minimum. So would insurers’ demands. This would present a once in a generation opportunity for vendors of security products and services. But to comply with what? The risk would be that compliance with the Duty, set by a regulator, would not necessarily be the same as what is proportionate security against an actual terror threat, whether against extreme right-wingers or jihadists, or Irish dissident republicans. Or indeed other terrorist movements that may yet develop.
The UK’s fire safety regime had its failures revealed by the 2017 Grenfell Tower fire in west London, still unresolved; in April the Secretary of State for Levelling Up, Housing and Communities Michael Gove spoke of a ‘building safety crisis’. As the Grenfell Inquiry set out, flammable products left buildings unsafe (and, with no resolution in sight, properties unsellable and left empty). For a regulator and inspectors, fire safety should and can at least be a matter of physics; either a cladding product fitted on the outside of a building retards a fire or it does not. How much harder it shall be for a Protect Duty regulator, for there is no equivalent science in terror risk assessment – the risk changes over time, according to international incidents out of the UK’s control, the hidden plans and even last-minute whims of terrorist plotters.
Take the building pictured, Belfairs Methodist Church in a suburb of Southend-on-Sea in Essex. Nearby is a parade of shops with a Co-op at one end a William Hill betting shop at the other. The church has a low wall as perimeter between the pavement and building – a higher fence to protect the car park, and video cameras. The entrance of largely glazing serves to make the place of worship as open to the public – and (advertised by a banner on the fence out of picture) community events such as a slimming group held there – as possible. All looks normal, even nondescript – what could be the risk from terror? Except that there in October 2021 the local MP Sir David Amess was stabbed to death by a man with a knife who travelled from London to Sir David’s constituency surgery, having (so the trial heard that ended in the man given a whole life sentence for murder) carried out ‘hostile reconnaissance’ on other parliamentarians.
How would the Protect Duty have altered Belfairs Methodist Church to prevent that murder without turning an MP’s surgery into a fortress out of keeping with the rest of the community building, and against the grain of how parliamentarians want to be available to constituents. Other acts of terror and terrorist cases, such as the murder of MP Jo Cox on the eve of the Brexit vote in 2016; Forbury Gardens, a public park in the centre of Reading, in June 2020; and Streatham High Street in February 2020, happened in the open where it’s not proposed the Protect Duty will apply (although an earlier Version did include parks and beaches).
Accountability
If the Protect Duty does become law before a likely general election next year, and if the NPSA does become the regulator, it would have to change its culture sharpish. For whereas we know the names of who works for the health and safety regulator the HSE and the SIA, we don’t have even those basics for the NPSA. If you disagree with the compliance set – whether it’s too lax or too stringent, and judging from the 20-year and continuing grumbles of the security industry about the SIA, it will face complaints from both angles – how would you even start to lobby?
That is not to criticise the NPSA, whose output of advice about the gamut of security – information, personnel, electronic, physical – is excellent in style and content. But underpinning a Protect Duty is the principle that the state is outsourcing some (how much?) of the responsibility for securing UK citizens’ lives, previously held by the police and security services as agents of the state. Those who work at the NPSA like MI5 and MI6 and on the cyber side the National Cyber Security Centre (NCSC) but for a handful of those at the top are not identifiable. In sum, parliamentarians and the country have to take their work on trust. How that secrecy – habitual for good reasons – would sit with businesses making financial and everyday operational decisions has yet to be worked out, or indeed even debated by anyone.
