4 ways to automate a Martyn's Law risk assessment

Liam Jones

Liam Jones

Founder, Pilla App

Date Modified

26 May 2026

I'm Liam Jones, founder of Pilla and a qualified management consultant. I've helped hundreds of businesses set up workflows, and in this article I'm going to show you four real examples of how to set up your Martyn's Law risk assessment. I'll start from the simplest and then add some more powerful options. You can open up each template in our workflow builder playground as a starting point and experiment for yourself. If you have any suggestions or you need some help, you can email me directly.

The workflows at a glance

Article Content

#1 - Simple assessment

Who it's for: Single-site venues recording the assessment themselves, that may fall within scope of Martyn's Law (the Terrorism (Protection of Premises) Act).

What it is: A Martyn's Law risk assessment records the terrorism risks to a venue and the people in it, the controls and response plan in place, and any further action. This version keeps each risk in one group: the threat, who's at risk, controls and response in place, risk level, and further action. You add one group per risk or scenario.

Available on: Basic.

In practice: A mid-sized venue works through plausible scenarios. For "evacuation in a security incident", they note who's at risk (customers and staff), the controls (clear exit routes, trained staff, an evacuation and an invacuation plan), rate it, and the further action: run a staff briefing on the plan. Next scenario, next group.

Why it works: Martyn's Law is built around having thought through the risk and planned a proportionate response. Keeping each risk in one group makes the assessment a real, recorded plan rather than a box ticked.

Steps included:

  • 1 grouped assessment (one group per risk): threat, who's at risk, controls and response, risk level, further action
  • Duplicate the group for each risk or scenario

When to upgrade:

  1. A manager does the assessment and needs the framework
  2. You want to attach evidence of the response plan
  3. You run more than one site and need a signed, dated record
Playground

#2 - With guidance

Who it's for: Venues where a manager completes the assessment and needs orienting on what Martyn's Law expects.

What it is: The simple assessment with a guidance note in the group, explaining that Martyn's Law applies a tiered approach based on the number of people a venue can hold, with standard-tier venues expected to have simple, low-cost procedures (evacuation, invacuation, lockdown, communication) and enhanced-tier venues expected to do more, and prompting the assessor to focus on the response plan and staff training, not physical fortification.

Available on: Standard.

What it adds to the previous template:

  1. The tiered approach and what each tier expects are on screen
  2. The manager focuses on procedures and training, the heart of the duty
  3. The assessment is consistent whoever completes it

Why it works: The guidance sits in the group with the fields, so the assessor understands the duty is about preparedness and response, not turning the venue into a fortress.

Steps included:

  • 1 guidance note in the group (the tiers, the expected measures)
  • 1 grouped assessment: threat, who's at risk, controls and response, risk level, further action

When to upgrade: When the assessment needs evidence of the plan (Martyn's Law RA #3) or a signed, dated record (#4).

Playground

#3 - With photo evidence

Who it's for: Venues that want to attach evidence of the response plan and measures.

What it is: The guided assessment plus a photo or attachment in the group, the evacuation plan, signage and exit routes, or a record of staff training. Evidence the plan exists and staff know it.

Available on: Standard.

What it adds to the previous template:

  1. Evidence of the plan or measures, attached at the time
  2. A record that staff training and procedures are real
  3. A baseline to compare at the next review

Why it works: Martyn's Law is about being able to show preparedness. Attaching the plan and training evidence is exactly the kind of record that demonstrates it.

Steps included:

  • 1 guidance note in the group (the tiers, the expected measures)
  • 1 grouped assessment: threat, who's at risk, controls and response, risk level, further action
  • 1 photo or attachment in the group (the plan or measures)

When to upgrade: When the assessment needs a named, dated sign-off (Martyn's Law RA #4).

Playground

#4 - With photo and signature

Who it's for: Multi-site groups where each venue's assessment has to be signed, dated, and reviewable from head office.

What it is: The assessment plus a signature in the group. The responsible person signs to confirm it and set a review date.

Available on: Standard.

What it adds to the previous template:

  1. A signature confirming who assessed and when
  2. A clear point to set the next review date
  3. A complete, dated record an auditor or regulator treats as best practice

Why it works: The signature makes the assessment owned and dated, and across sites it lets a safety or security lead confirm every venue in scope has a current plan.

Steps included:

  • 1 guidance note in the group (the tiers, the expected measures)
  • 1 grouped assessment: threat, who's at risk, controls and response, risk level, further action
  • 1 photo or attachment in the group (the plan or measures)
  • 1 signature in the group (responsible person)

When to upgrade: When you want Poppi to remind you when a review or staff briefing is due, or pull every site's assessments into one report. Those versions are coming in the next post update.

Playground

How to pick the right version

You don't need to know our product to choose. Just answer three questions.

Is it just you assessing, or does a manager do it?

If you do it yourself, a plain assessment is enough. The moment a manager does it, the tiers and expected measures need to be on screen. If only you assess, #1 is fine. If a manager does, start at #2.

Do you need evidence, or is a written record enough?

A written assessment is the core. Attaching the plan and training records shows preparedness. If a written record is enough, stop at #2. If you want evidence, #3 adds it.

Does it need a signed, dated sign-off?

For a single venue, the record can stand alone. Across sites, a security lead wants a signature on each. If no sign-off is needed, #3 is enough. If you run more than one site, #4 adds a signature.

Related workflows

Conclusion

Martyn's Law makes preparedness a duty for qualifying venues, and the assessment is how you record that you've thought it through and trained your team. The versions above move from a simple assessment to a signed, dated record.

Five more versions are coming in the next refresh that bring AI into the picture. Poppi can remind you when a review or staff briefing is due, and pull every site's assessments into one report. Those need more review time and will land separately.

ā†’ Build your own Martyn's Law risk assessment on Pilla. The Basic plan unlocks the simple assessment today.