How to use the Terrorism Risk Assessment template in Pilla

Pilla's Terrorism Risk Assessment template walks you through 10 sections covering staff awareness, access control, emergency planning and security measures. Each section asks you to identify hazards, who might be harmed, existing controls and any further actions needed.

This guide explains what each section is asking, what good answers look like, and how to avoid common mistakes—helping you comply with Martyn's Law (the Terrorism (Protection of Premises) Act 2025).

Understanding the Terrorism Risk Assessment template

Martyn's Law requires hospitality venues with a capacity of 200 or more people to assess terrorism risks and implement appropriate protective measures. Named after Martyn Hett, killed in the Manchester Arena bombing, this legislation ensures public venues take terrorism preparedness seriously.

Pilla's template is structured around 10 key security areas that align with what the Security Industry Authority (SIA) and Counter Terrorism Security Advisors expect to see addressed. Each section prompts you to think about:

• What security gaps or vulnerabilities exist
• Who might be harmed (staff, customers, visitors, the public nearby)
• What controls you already have in place
• What additional actions might be needed

The assessment covers both preventive measures (stopping an attack) and response procedures (protecting people if an attack occurs).

1. Staff Awareness

Template question: Describe the hazards, persons at risk, existing controls and additional actions for staff awareness of terrorism threats.

Why it matters

Your staff are your first line of defence. A team that understands terrorism risks, knows what to look for, and feels confident reporting concerns can prevent attacks or significantly reduce harm. Conversely, untrained staff may miss warning signs or freeze during an incident.

What good answers look like

A strong response demonstrates active training and awareness:

• "All staff complete ACT Awareness e-learning within first week of employment. Refresher briefings conducted quarterly covering current threat levels, suspicious behaviour indicators, and our response procedures. Team briefings include 'See It, Say It, Sorted' messaging. Staff know to report concerns to duty manager immediately and understand they won't be penalised for raising false alarms. Training records maintained in Pilla with completion dates tracked."

How to answer this for yourself

Think about:

• Have your staff completed counter-terrorism awareness training?
• Do they know what suspicious behaviour looks like?
• Do they understand your emergency response procedures?
• Is there a clear reporting line for concerns?
• How do you keep awareness current (briefings, updates, refreshers)?

Common mistakes

• Assuming staff will "know what to do" without specific training
• One-off training with no refreshers
• Not making it clear that reporting concerns is encouraged and protected
• Forgetting agency, temporary or seasonal staff

2. Uncontrolled Public Access Points

Template question: Describe the hazards, persons at risk, existing controls and additional actions for uncontrolled public access points.

Why it matters

Entry points that aren't monitored or controlled give attackers easy access to crowded areas. Every door, gate, loading bay and service entrance is a potential vulnerability if not managed. Understanding who can enter where—and when—is fundamental to protective security.

What good answers look like

• "Main customer entrance monitored by reception staff during operating hours. Rear delivery entrance kept locked, opened only when deliveries expected—staff verify driver identity before admitting. Fire exits alarmed and checked daily to ensure not propped open. Staff-only areas secured by keypad access (code changed monthly). After-hours access limited to keyholders with alarm codes. CCTV covers all entrances with 30-day retention."

How to answer this for yourself

Consider:

• How many entry points does your venue have?
• Which are customer-facing and which are staff/service only?
• How are non-public entrances secured?
• Who monitors entrances during operating hours?
• What happens outside operating hours?
• Are fire exits secured against unauthorised entry while allowing emergency egress?

Common mistakes

• Forgetting about fire exits, delivery bays and roof access
• Propping doors open for convenience
• Not changing access codes when staff leave
• Having unmanned reception during busy periods

3. Emergency Response Plan

Template question: Describe the hazards, persons at risk, existing controls and additional actions for your emergency response plan.

Why it matters

When an attack happens, every second counts. A clear, practised plan means staff can act decisively rather than freezing or making ad-hoc decisions under pressure. Your plan should cover evacuation, invacuation (sheltering inside), lockdown and communication.

What good answers look like

• "Written emergency response plan covers three scenarios: evacuation (bomb threat, fire, external incident), invacuation (external attack, gunfire outside), and lockdown (attacker inside or at entrance). Plan includes designated assembly points away from the building, internal refuge areas with lockable doors, and communication protocols. Duty manager holds laminated action cards. Plan tested via tabletop exercise annually and evacuation drill every 6 months. Last drill March 2024—full evacuation completed in 4 minutes, identified issue with rear exit signage (now resolved)."

How to answer this for yourself

Think about:

• Do you have written procedures for evacuation, invacuation and lockdown?
• Do staff know the difference and when to use each?
• Where are your assembly points and refuge areas?
• How will you communicate with staff and customers during an incident?
• When did you last practise or test the plan?
• What did you learn from exercises?

Common mistakes

• Only having a fire evacuation plan (terrorism scenarios differ)
• Not identifying internal refuge areas for lockdown
• Having a plan that exists on paper but isn't practised
• Assembly points too close to the building or in a predictable location

4. Vulnerable External Areas

Template question: Describe the hazards, persons at risk, existing controls and additional actions for vulnerable external areas.

Why it matters

Outdoor spaces—terraces, beer gardens, queuing areas, car parks—can be targets in themselves or staging areas for attacks. Vehicle attacks, in particular, target crowded external areas. Protecting people outside your building is as important as inside.

What good answers look like

• "Outdoor terrace seating for 60 customers protected by concrete planters acting as vehicle barriers along the pavement edge. Queue forms inside building, not on pavement—door staff manage capacity. Car park has CCTV coverage, well-lit, with vehicle barriers preventing access to pedestrian areas. External bin store locked and positioned away from building to reduce arson/bomb risk. Staff check external areas hourly during operating hours for suspicious items or behaviour."

How to answer this for yourself

Consider:

• Do you have outdoor seating, queuing areas or gathering spaces?
• Could a vehicle access these areas?
• Are external areas visible and well-lit?
• Where is your waste stored and is it secured?
• How often do staff check external areas?

Common mistakes

• Not considering vehicle-as-weapon attacks
• Queues forming in exposed locations
• Poor lighting in car parks and rear areas
• External bins positioned against the building

5. Suspicious Behaviour

Template question: Describe the hazards, persons at risk, existing controls and additional actions for identifying suspicious behaviour.

Why it matters

Attackers often conduct reconnaissance before an attack—observing security measures, testing responses, photographing layouts. Staff who can recognise and report unusual behaviour may identify threats before they materialise. This isn't about profiling people; it's about noticing behaviour that doesn't fit.

What good answers look like

• "Staff trained to recognise hostile reconnaissance indicators: people photographing security measures, testing locked doors, watching staff patterns, asking unusual questions about capacity or security, leaving then returning, nervous behaviour inconsistent with the setting. Training uses ACT Security guidance and real-world case studies. Staff report to duty manager using discreet code word. Manager assesses and contacts police non-emergency (or 999 if immediate threat). Reports logged even if no action taken—patterns may emerge over time."

How to answer this for yourself

Think about:

• Have staff been trained in recognising suspicious behaviour?
• Do they know the difference between curious behaviour and hostile reconnaissance?
• Is there a clear, discreet reporting mechanism?
• Do you log and review reports for patterns?
• Have you engaged with local police Counter Terrorism Security Advisors?

Common mistakes

• Relying on "gut feeling" without structured training
• Making staff feel they're being asked to profile customers
• No logging of concerns (missing patterns across shifts)
• Not having a discreet reporting method (staff fear embarrassment)

6. Poor Communication

Template question: Describe the hazards, persons at risk, existing controls and additional actions for communication during security incidents.

Why it matters

During an incident, clear communication saves lives. Staff need to alert each other, customers need instructions, and emergency services need information. Poor communication leads to confusion, delayed response and people not knowing what to do.

What good answers look like

• "Radio handsets carried by all supervisors and security staff during operating hours—dedicated security channel. Code words agreed for different scenarios (lockdown, evacuation, suspicious person) to avoid alarming customers unnecessarily. PA system can reach all areas including toilets and external terrace. Emergency contact list (police, ambulance, head office, neighbours) laminated at reception and saved in duty manager's phone. First arriving officer will be briefed by duty manager using ETHANE format."

How to answer this for yourself

Consider:

• How do staff communicate with each other during normal operations?
• Can you reach all areas of the venue quickly (including toilets, kitchens, external areas)?
• Do you have code words or discreet alerting methods?
• Do staff know how to brief emergency services?
• Is there a fallback if phones/radios fail?

Common mistakes

• Relying solely on mobile phones (networks can be overloaded)
• PA announcements that create panic
• No discreet alerting system for staff
• Not briefing emergency services effectively when they arrive

7. Lack of Visible Deterrents

Template question: Describe the hazards, persons at risk, existing controls and additional actions for visible security deterrents.

Why it matters

Visible security measures can deter attackers who conduct reconnaissance and select softer targets. CCTV, security staff, bag checks and good lighting signal that your venue takes security seriously. However, deterrents must be proportionate—an overly hostile environment affects customer experience.

What good answers look like

• "CCTV prominently signed at all entrances—cameras cover entrances, public areas and external spaces with 30-day recording retention. Security staff visible at entrance during evening trading. Bag policy clearly communicated: bags over A4 size checked at entry. Good external lighting with no dark corners in car park or service areas. Venue layout allows natural surveillance—staff can see most areas from service positions."

How to answer this for yourself

Think about:

• Is your CCTV visible and signed?
• Do you have security staff presence, and when?
• Do you operate bag checks or similar screening?
• Is your venue well-lit inside and out?
• Can staff naturally observe customers from their positions?

Common mistakes

• Hidden CCTV (visible cameras deter; hidden ones only record)
• Security staff in back office rather than visible positions
• Inconsistent bag check policies
• Dark areas that reduce natural surveillance

8. Unattended Items

Template question: Describe the hazards, persons at risk, existing controls and additional actions for unattended items.

Why it matters

Unattended bags, packages and vehicles remain a primary method for delivering explosive devices. Staff and customers need to be alert to items without obvious owners, and you need clear procedures for responding—neither ignoring them nor overreacting.

What good answers look like

• "Staff trained to challenge unattended items within 2 minutes using the 'HOT' principle (Hidden? Obviously suspicious? Typical for this location?). If owner not identified, area cleared 20 metres and duty manager called. Manager assesses and contacts police if warranted. Customers' belongings stored in cloakroom, not left at tables. Staff check all areas at closing for left items. External bins located away from building and secured; litter-picking keeps areas clear of items that could conceal devices."

How to answer this for yourself

Consider:

• Do staff know to look for and challenge unattended items?
• What's your procedure when an item is found?
• How do you manage customer belongings (coats, bags)?
• Do you check the venue at closing?
• Where are your bins located?

Common mistakes

• Ignoring unattended bags because "it's probably nothing"
• Moving suspicious items (could trigger device)
• Bins positioned against the building or near entrances
• No systematic checking of the venue

9. Event Bookings Control

Template question: Describe the hazards, persons at risk, existing controls and additional actions for controlling event bookings and large gatherings.

Why it matters

Private events, functions and large bookings change your venue's risk profile. Higher occupancy means more people at risk and more complex evacuation. External organisers may have different expectations. Events may attract specific threats. Proper vetting and planning reduces risk.

What good answers look like

• "Event bookings require completion of booking form including expected numbers, event type, and organiser contact details. Events over 100 attendees require pre-event meeting with organiser to discuss security, capacity management and emergency procedures. Organiser signs agreement acknowledging house rules including bag policy. Additional door staff arranged for events over 150. Controversial or high-profile events escalated to manager for risk assessment and potential police notification."

How to answer this for yourself

Think about:

• How do you vet event bookings?
• Do you collect information about the nature of events and expected attendance?
• Are organisers briefed on your security procedures?
• Do you adjust staffing or security for larger events?
• How do you handle bookings that might attract protests or controversy?

Common mistakes

• Accepting bookings without understanding the event
• Not adjusting security for higher capacity
• No pre-event briefing with organisers
• Forgetting that events change your normal risk profile

10. Review of Security Measures

Template question: Describe the hazards, persons at risk, existing controls and additional actions for reviewing and updating security measures.

Why it matters

Terrorism threats evolve, your venue changes, and security measures can become complacent routines. Regular review ensures your assessment stays current, staff training remains effective, and new vulnerabilities are identified. Martyn's Law requires ongoing compliance, not a one-off exercise.

What good answers look like

• "Terrorism risk assessment reviewed annually by operations manager and whenever significant changes occur (new entrance, layout change, new event type, staffing restructure). Review includes checking threat levels via MI5/ProtectUK, analysing any security incidents or near-misses, and assessing whether current measures remain proportionate. Staff refresher training aligned with annual review. Any incidents (suspicious items, concerning behaviour) logged and reviewed for lessons learned. Next scheduled review: January 2025."

How to answer this for yourself

Consider:

• When did you last review this risk assessment?
• What would trigger an unscheduled review?
• Do you monitor the national threat level?
• Are security incidents logged and analysed?
• Is there a named person responsible for ongoing compliance?

Common mistakes

• Completing the assessment once and filing it away
• Not reviewing after incidents or near-misses
• Ignoring changes to the national threat level
• No clear ownership of ongoing security compliance

Tips for completing your terrorism risk assessment in Pilla

1. Be honest about your vulnerabilities - The assessment is for your benefit. Glossing over weaknesses means you won't address them.

2. Consider your specific context - A late-night bar has different risks to a family restaurant. Tailor your answers to your venue.

3. Include dates and names - When was training completed? Who is responsible for what? Specifics demonstrate genuine compliance.

4. Think like an attacker - Walk through your venue considering how someone might conduct reconnaissance, gain access, or cause harm. Then address those gaps.

5. Engage with available support - Counter Terrorism Security Advisors (CTSAs) offer free advice. ProtectUK has resources. ACT Awareness training is free. Use them.

Understanding Martyn's Law requirements

Who needs to comply?

Martyn's Law applies to public venues with a capacity of 200 or more people. There are two tiers:

• Standard tier (200-799 capacity): Requires a terrorism response plan and staff training. No mandated physical security measures.
• Enhanced tier (800+ capacity): Requires additional security measures, a documented security plan submitted to the regulator, and a designated senior officer for compliance.

What's the timeline?

The Act received Royal Assent in April 2025 with a 24-month implementation period. Enforcement is expected from 2027, but preparing now is advisable.

Who enforces it?

The Security Industry Authority (SIA) will regulate compliance, with powers to issue compliance notices, fines, and restriction orders for non-compliant venues.

Common questions

Do venues under 200 capacity need to comply?

Not legally, but completing a terrorism risk assessment and training staff is good practice for any public venue. The template in Pilla works for venues of any size.

What training do staff need?

At minimum, ACT Awareness e-learning (free, online, takes about an hour). Supervisors and security staff should consider ACT Security training. Regular briefings keep awareness current.

Do I need professional help?

For standard tier venues, you can complete the assessment yourself. For enhanced tier or complex venues, engaging a security consultant may be valuable. Your local CTSA can also provide free guidance.

How often should I review the assessment?

At least annually, and whenever there are significant changes to your venue, operations, or the threat level. Log any security incidents and incorporate lessons learned.