How I Use the Terrorism Risk Assessment Template in Pilla

Understanding What's Required of You

A terrorism risk assessment identifies the security vulnerabilities at your premises and what measures are in place to protect staff, customers, and the public. It's not a one-off exercise. It's a living document that needs reviewing regularly and updating whenever something changes, whether that's a new entrance, a change of layout, a staffing restructure, or a shift in the national threat level.

In the UK, Martyn's Law (the Terrorism (Protection of Premises) Act 2025) requires qualifying premises with a capacity of 200 or more people to assess terrorism risks and put appropriate protective measures in place. Named after Martyn Hett, killed in the Manchester Arena bombing, the legislation exists to make sure public venues take terrorism preparedness seriously. But regardless of your capacity or where you operate, assessing your security risks is good practice if your premises are open to the public. I've worked with businesses well under the 200 threshold who chose to do this anyway, and they were right to.

Premises need their own dedicated terrorism risk assessment because the threats are specific: uncontrolled access points, vulnerable external areas, no emergency planning, poor communication, and gaps in staff awareness. A general site risk assessment won't go into this level of detail. Every premises has a different layout, different operating hours, and a different risk profile. Each one needs focused attention.

I'd always have the operations manager or security lead complete this. They know the layout, the access points, the daily routines, and where the real vulnerabilities sit. From my consultancy work, the worst assessments I've reviewed were completed by someone in head office who'd never set foot on the premises. Set a reminder to review it at least once a year, or sooner if you change the layout, add new entrance points, host a new type of event, or have a security incident.

Setting It Up as a Work Activity

I've built a terrorism risk assessment template in Pilla covering the 10 key security areas below. It gives you a structured starting point, but depending on how your premises operates, you may need to add extra items to cover your specific vulnerabilities.

When you create the work activity, tag it (e.g. "Terrorism Risk Assessment"). Tags make it easy to find and filter later, and they're what Poppi uses to track completion across different risk assessment types in automated reports.

You've got two options. Create it as a one-off work form, complete it, and manually create a new one when it's due for review. Or set it up as a recurring yearly work schedule, and Pilla will create the next one automatically. I'd recommend the recurring option. Terrorism risk assessments are exactly the kind of thing that gets completed once and then forgotten for three years. A recurring schedule takes that problem away.

1. Staff Awareness

What level of terrorism awareness do your staff currently have: Describe the current state of terrorism awareness among your staff. I want to know whether they've completed any counter-terrorism training, whether they can recognise suspicious behaviour, whether they understand your emergency response procedures, and whether there's a clear reporting line for concerns. Include agency, temporary, and seasonal staff. They're often the ones missed.

What training and briefing measures are in place: Describe the training, briefing, and awareness measures you have in place and any additional actions you plan to take. I'm looking for ACT Awareness e-learning, refresher briefings, team briefings on current threat levels, reporting procedures, and how you track training completion.

What good answers look like:

Current awareness: "Most permanent staff have completed ACT Awareness e-learning, but agency and seasonal staff have not. Staff are generally aware of the need to report concerns but are not confident identifying specific suspicious behaviour indicators."

Measures in place: "All staff complete ACT Awareness e-learning within first week of employment. Refresher briefings conducted quarterly covering current threat levels, suspicious behaviour indicators, and our response procedures. Team briefings include 'See It, Say It, Sorted' messaging. Staff know to report concerns to duty manager immediately and understand they won't be penalised for raising false alarms. Training records maintained in Pilla with completion dates tracked."

Common mistakes I see:

"Staff would know what to do." They wouldn't. Without specific training, most staff will freeze or act unpredictably during an incident. I've run tabletop exercises where experienced managers couldn't describe their own evacuation route. Provide structured counter-terrorism training.

"We did the training when they started." One-off training with no refreshers means awareness fades within months. Schedule regular briefings and updates, especially when threat levels change.

2. Uncontrolled Public Access Points

What uncontrolled access points exist: List and describe all entry points at your premises and identify which ones are not consistently monitored or controlled. I want to see customer entrances, staff entrances, delivery bays, loading areas, fire exits, roof access, and any doors that get propped open. Consider both operating hours and after-hours access.

What controls are in place: Describe the measures you currently have in place to manage access points and what you plan to add. Tell me about staffed reception, locked doors, keypad or fob access, CCTV coverage, alarm systems, visitor sign-in, and how you manage fire exits to prevent unauthorised entry while still allowing emergency egress.

What good answers look like:

Access points: "The premises has five entry points: main customer entrance, rear delivery entrance, two fire exits, and a staff entrance via the car park. The delivery entrance is sometimes left unlocked during delivery windows, and the staff entrance relies on a keypad code that hasn't been changed in six months."

Controls: "Main customer entrance monitored by reception staff during operating hours. Rear delivery entrance kept locked, opened only when deliveries expected, and staff verify driver identity before admitting. Fire exits alarmed and checked daily to ensure not propped open. Staff-only areas secured by keypad access (code changed monthly). After-hours access limited to keyholders with alarm codes. CCTV covers all entrances with 30-day retention."

Common mistakes I see:

"We only need to worry about the front door." I've walked around buildings during site visits and found fire exits propped open with a mop bucket, delivery bays left unlocked all afternoon, and roof access hatches with no lock at all. Audit every entry point.

"The code hasn't been changed but everyone knows it." That's the problem. Change access codes regularly, especially when staff leave.

3. Emergency Response Plan

What emergency scenarios have you planned for: Describe which terrorism-related emergency scenarios you've considered and planned for. I need to see evacuation (bomb threat, fire, external incident), invacuation (sheltering inside during an external attack), and lockdown (attacker inside or at entrance). Consider whether your planning accounts for different times of day, staffing levels, and occupancy levels.

What does your emergency response plan include: Describe the specific elements of your emergency response plan and what you plan to add. I'm looking for written procedures, assembly points, refuge areas, communication protocols, action cards, drill schedules, and what you learned from previous exercises.

What good answers look like:

Scenarios planned for: "We have considered evacuation, invacuation, and lockdown scenarios. We have not yet planned specifically for a marauding attack or a vehicle attack on the external queuing area."

Plan details: "Written emergency response plan covers three scenarios: evacuation (bomb threat, fire, external incident), invacuation (external attack, gunfire outside), and lockdown (attacker inside or at entrance). Plan includes designated assembly points away from the building, internal refuge areas with lockable doors, and communication protocols. Duty manager holds laminated action cards. Plan tested via tabletop exercise annually and evacuation drill every 6 months. Last drill identified issue with rear exit signage, now resolved."

Common mistakes I see:

"We have a fire evacuation plan." A fire evacuation plan is not a terrorism plan. Evacuation, invacuation, and lockdown each require distinct procedures. During a fire, you get everyone out. During an external attack, you might need to keep everyone in. These are opposite responses, and if your staff only know one of them, you have a serious gap.

"The plan is in the office." A plan that exists on paper but has never been practised is not a plan. Test it regularly and debrief afterwards. Every drill I've observed has uncovered something that needed fixing.

4. Vulnerable External Areas

What external areas are vulnerable: Describe the outdoor spaces at your premises where people gather or could be exposed to attack. I want to see terraces, beer gardens, queuing areas, smoking areas, car parks, delivery bays, and any pavement areas directly outside. Consider whether vehicles could access these areas and whether they're visible from inside the premises.

What measures are in place: Describe the measures you have in place to protect external areas and what you plan to add. Tell me about vehicle barriers (planters, bollards), queue management, CCTV coverage, lighting, waste storage positioning, and how frequently staff check external areas.

What good answers look like:

Vulnerable areas: "The premises has an outdoor terrace seating 60 customers on the pavement side, a rear car park with no vehicle barriers separating pedestrian and vehicle areas, and a smoking area near the delivery bay that is poorly lit."

Measures: "Outdoor terrace protected by concrete planters acting as vehicle barriers along the pavement edge. Queue forms inside building, not on pavement, with door staff managing capacity. Car park has CCTV coverage, is well-lit, with vehicle barriers preventing access to pedestrian areas. External bin store locked and positioned away from building. Staff check external areas hourly during operating hours for suspicious items or behaviour."

Common mistakes I see:

"Nobody would target our car park." Vehicle attacks target crowded external areas. I need you to think about how a vehicle could access any area where people gather, including your terrace, your queuing area, and your car park.

"The bins are by the back door for convenience." External bins positioned against the building increase arson and bomb risk. Move them away and secure them. This is a quick win that costs nothing.

5. Suspicious Behaviour

What are the risks of suspicious behaviour going unnoticed: Describe the factors at your premises that could make it difficult to spot suspicious behaviour. I want to know how busy the premises gets, how many staff are on the floor, whether there are areas with limited visibility, and whether staff have been trained to distinguish between normal curiosity and hostile reconnaissance. Attackers often conduct surveillance before an attack, observing security measures, testing responses, and photographing layouts.

What measures are in place: Describe your current measures to identify and respond to suspicious behaviour and what you plan to add. I'm looking for staff training on hostile reconnaissance indicators, discreet reporting mechanisms, logging of concerns, engagement with local Counter Terrorism Security Advisors, and how reports are reviewed for patterns.

What good answers look like:

Risks: "During peak hours, staff are focused on service and may not notice someone observing security arrangements or testing locked doors. The mezzanine level has limited staff presence, and the external terrace is only checked periodically."

Measures: "Staff trained to recognise hostile reconnaissance indicators: people photographing security measures, testing locked doors, watching staff patterns, asking unusual questions about capacity or security, leaving then returning, nervous behaviour inconsistent with the setting. Training uses ACT Security guidance and real-world case studies. Staff report to duty manager using discreet code word. Manager assesses and contacts police non-emergency (or 999 if immediate threat). Reports logged even if no action taken, as patterns may emerge over time."

Common mistakes I see:

"We rely on gut feeling." Gut feeling isn't a security measure. Without structured training, staff won't know what to look for. Provide specific guidance on hostile reconnaissance indicators. The ACT Security materials are free and practical.

"Staff don't want to seem like they're profiling customers." Frame the training around behaviour, not people. It's about noticing actions that don't fit the setting, not making assumptions about individuals. When I deliver this training, that distinction makes the difference between staff who report concerns and staff who stay silent.

6. Poor Communication

What are the communication risks during an emergency: Describe the factors at your premises that could make communication difficult during a security incident. I want to know about the size and layout of the premises, whether all areas can be reached quickly (including toilets, kitchens, external areas), noise levels during busy periods, mobile phone signal reliability, and whether staff are spread across multiple floors or zones.

What communication measures are in place: Describe your current emergency communication measures and what you plan to add. Tell me about radios, PA systems, code words, discreet alerting methods, emergency contact lists, and how staff would brief emergency services when they arrive (e.g. ETHANE format).

What good answers look like:

Communication risks: "The premises is split across two floors with a basement kitchen. Mobile signal is unreliable in the basement. During busy service, noise levels make verbal communication across the floor difficult. There is no PA system that reaches the external terrace."

Measures: "Radio handsets carried by all supervisors and security staff during operating hours, with a dedicated security channel. Code words agreed for different scenarios (lockdown, evacuation, suspicious person) to avoid alarming customers unnecessarily. PA system can reach all areas including toilets and external terrace. Emergency contact list (police, ambulance, head office, neighbours) laminated at reception and saved in duty manager's phone. First arriving officer will be briefed by duty manager using ETHANE format."

Common mistakes I see:

"Everyone has a mobile phone." Mobile networks get overloaded during major incidents. I've seen it happen during large-scale evacuations in city centres where nobody could get a call out. Have a backup communication method such as radios.

"We'd just shout." Shouted instructions create panic. Use discreet code words for staff alerting and clear, calm instructions for customers. The code word system is simple to set up and makes a real difference when it matters.

7. Lack of Visible Deterrents

What security gaps could make your premises appear an easy target: Describe any factors that could make your premises look like a soft target to someone conducting reconnaissance. I want to know whether CCTV is visible or hidden, whether there's a security staff presence, whether entrances are unmonitored, whether lighting is poor in external areas, and whether the premises layout creates blind spots.

What visible deterrents are in place: Describe your current visible security measures and what you plan to add. I'm looking for CCTV signage, camera positioning, security staff presence, bag check policies, lighting, and venue layout that supports natural surveillance. Deterrents should be proportionate. An overly hostile environment affects customer experience.

What good answers look like:

Security gaps: "CCTV cameras are installed but not prominently signed. There is no security staff presence during daytime trading. The rear car park has poor lighting, and the service corridor has no camera coverage."

Deterrents: "CCTV prominently signed at all entrances, with cameras covering entrances, public areas and external spaces with 30-day recording retention. Security staff visible at entrance during evening trading. Bag policy clearly communicated: bags over A4 size checked at entry. Good external lighting with no dark corners in car park or service areas. Venue layout allows natural surveillance, with staff able to see most areas from service positions."

Common mistakes I see:

"We have CCTV but it's discreet." Hidden CCTV only records. Visible cameras deter. Make sure cameras and signage are prominent. I'd rather have a visible camera that prevents an incident than a discreet one that captures footage of one.

"Security staff are too expensive for daytime." Consider proportionate alternatives: staff positioned near entrances, bag check policies, and good natural surveillance through layout. Not every deterrent requires a door supervisor.

8. Unattended Items

What are the risks from unattended items: Describe the factors at your premises that could increase the risk from unattended bags, packages, or vehicles. I want to know how busy the premises gets, whether customers routinely leave belongings at tables, whether external areas have bins or concealment points near the building, and how quickly an unattended item would be noticed in different parts of the premises.

What procedures are in place: Describe your current measures for managing unattended items and what you plan to add. I'm looking for staff training on the HOT principle (Hidden? Obviously suspicious? Typical for this location?), challenge and escalation procedures, customer belongings management, closing checks, and bin positioning.

What good answers look like:

Risks: "During busy periods, bags left at tables may not be noticed for some time. The external terrace has planters and furniture that could conceal items. Bins near the entrance are not secured."

Procedures: "Staff trained to challenge unattended items within 2 minutes using the HOT principle. If owner not identified, area cleared 20 metres and duty manager called. Manager assesses and contacts police if warranted. Customers' belongings stored in cloakroom, not left at tables. Staff check all areas at closing for left items. External bins located away from building and secured; litter-picking keeps areas clear of items that could conceal devices."

Common mistakes I see:

"It's probably just a bag someone left behind." Probably. But "probably" isn't good enough. Every unattended item should be assessed using the HOT principle. It takes 30 seconds.

"I'll just move it out of the way." Never move a suspicious item. Clear the area and call for help. This is non-negotiable.

9. Event Bookings Control

What are the security risks from events and large bookings: Describe how events and large bookings change the risk profile at your premises. I want to know about higher occupancy levels, more complex evacuation, unfamiliar attendees, external organisers who may not know your security procedures, and whether certain events could attract specific threats or protests.

What controls are in place: Describe your current measures to manage event security risks and what you plan to add. Tell me about booking vetting processes, pre-event meetings with organisers, capacity management, additional security staffing, and how you handle controversial or high-profile events.

What good answers look like:

Risks: "Private events increase occupancy to near-capacity, making evacuation more complex. External organisers are not familiar with our emergency procedures. We have not previously considered whether certain event types could attract specific threats."

Controls: "Event bookings require completion of booking form including expected numbers, event type, and organiser contact details. Events over 100 attendees require pre-event meeting with organiser to discuss security, capacity management and emergency procedures. Organiser signs agreement acknowledging house rules including bag policy. Additional door staff arranged for events over 150. Controversial or high-profile events escalated to manager for risk assessment and potential police notification."

Common mistakes I see:

"We just take the booking and sort out the details later." I've seen venues accept large bookings with no information about what the event actually is. You can't assess a risk you don't know about. Collect key information upfront.

"It's a private event, so security isn't our problem." Events on your premises are your responsibility. Full stop. Brief organisers on your procedures and adjust your security measures accordingly.

10. Review of Security Measures

What gaps exist in how you review security measures: Describe any weaknesses in how your security measures are currently reviewed and maintained. I want to know whether the risk assessment has been reviewed since it was first completed, whether you monitor the national threat level, whether security incidents and near-misses are logged and analysed, and whether there's a named person responsible for ongoing compliance.

What review processes are in place: Describe your current review processes and what you plan to add. I'm looking for scheduled review dates, triggers for unscheduled reviews (incidents, layout changes, new event types, threat level changes), how lessons learned are fed back in, and who owns ongoing compliance.

What good answers look like:

Gaps: "The risk assessment was completed six months ago and has not been formally reviewed since. Security incidents are reported verbally but not logged. No one person is formally responsible for ongoing terrorism compliance."

Review processes: "Terrorism risk assessment reviewed annually by operations manager and whenever significant changes occur (new entrance, layout change, new event type, staffing restructure). Review includes checking threat levels via MI5/ProtectUK, analysing any security incidents or near-misses, and assessing whether current measures remain proportionate. Staff refresher training aligned with annual review. Any incidents (suspicious items, concerning behaviour) logged and reviewed for lessons learned. Next scheduled review date recorded."

Common mistakes I see:

"We did the assessment, it's filed away." This is the single most common thing I hear, and it defeats the entire purpose. Martyn's Law requires ongoing compliance, not a one-off exercise. If your assessment is gathering dust, you're not compliant.

"We'd review it if something happened." Reactive reviews miss emerging threats. Schedule regular reviews and monitor the national threat level proactively. MI5 publishes the current threat level publicly and it takes 10 seconds to check.

Understanding Martyn's Law Requirements

Who needs to comply?

Martyn's Law applies to public venues with a capacity of 200 or more people. There are two tiers:

• Standard tier (200 to 799 capacity): Requires a terrorism response plan and staff training. No mandated physical security measures.
• Enhanced tier (800+ capacity): Requires additional security measures, a documented security plan submitted to the regulator, and a designated senior officer for compliance.

What's the timeline?

The Act received Royal Assent in April 2025 with a 24-month implementation period. Enforcement is expected from 2027, but I'd strongly recommend preparing now. In my experience, the businesses that wait until enforcement starts are the ones that scramble and cut corners.

Who enforces it?

The Security Industry Authority (SIA) will regulate compliance, with powers to issue compliance notices, fines, and restriction orders for non-compliant venues.

Automate the Follow-Up with Poppi

This is the part that makes the difference between a risk assessment that actually stays current and one that gets filed and forgotten. I've seen it happen hundreds of times. The assessment gets completed, everyone feels good about it, and then nobody looks at it again until an auditor or an inspector asks for it. The problem isn't that people don't care. There's just no system reminding anyone to check.

Once your terrorism risk assessment is set up as a work activity in Pilla, you can use Poppi Actions to set up a scheduled report that tells you when it was last completed. The report also shows how many incomplete instances exist since the last completion, so you can spot anything that was assigned but never finished.

I'd set this up to cover all your risk assessment types in a single rule. Tag your terrorism risk assessment, fire risk assessment, kitchen risk assessment, and any others, then include all the tags in one rule. Poppi sends the report on whatever schedule you choose. For terrorism, I'd recommend at least quarterly given the nature of the risk. You can always adjust.