The Manchester Arena Inquiry Volume 1: Security for the Arena was published last week. It is now over four years since the attack, and the proceedings of the Inquiry have been widely reported as they happened; but this volume brings together all the evidence about security prior to 22nd May 2017 and, crucially, provides a number of recommendations.
Sadly, the report catalogues a huge range of failures by the various organisations responsible for providing security for the Manchester Arena. As with the Grenfell Tower Inquiry, these include:
- Confusing and poorly understood contractual arrangements;
- Failure to comply with legal and regulatory requirements;
- Failure of regulators to identify and take action on non-compliance; and
- Inadequate training for many staff groups.
The Chair of the Inquiry, Sir John Saunders, concludes that these factors contributed significantly towards the high death toll.
The most interesting part of the report for me is Sir John’s views on the process used by these organisations to assess the risk of a terrorist attack. Both SMG, who operated the Arena, and Showsec, who provided security at events, had developed written risk assessments; which included various terrorist threats amongst the hazards considered. Sir John identifies many flaws in these documents, particularly around the need to make them specific and current by using all available information; as well as highlighting that they were not really used as a management tool in any meaningful way. He then goes on to highlight, as many others have done before, that a standard 5×5 risk matrix is fundamentally unsuited to assessing the risk of low likelihood events with extreme impacts (such as a terrorist attack):
I have considerable reservations about this approach being used in connection with the threat from terrorism.
Low likelihood and very high impact is not in any sense equivalent to very high likelihood and low impact, as implied by the common practice of simply multiplying the two ratings together to give an overall (but meaningless) “risk score”.
However, having correctly identified the problem, I feel that Sir John fails to offer a suitable solution in his recommendations. He offers three possible solutions, the first being to simply ignore the likelihood when considering terrorist threats; implying that all conceivable terrorist attack methodologies must be mitigated in some way, however implausible. The second option is a modified version of this, proposing that likelihood is only used in distinguishing between different terrorist attack methodologies. This is a sensible modification, focusing attention and resources on mitigating the more likely threats; but still not an optimal solution. Finally, he suggests using a greater range of severity scores; although he doesn’t say exactly how great a range (10, 50, 100?)
All of these proposed solutions miss two fundamental points:
- It is fundamentally wrong to assess one class of risks in a completely different way to all others; and
- Sadly, we have masses of information about the impact of terrorist attacks.
Picking up on the first point, one could also experience mass casualties (and fatalities) at an arena from a fire or a crush of bodies: using a different risk assessment approach for one specific type of risk (terrorism) would likely lead to a distortion in the allocation of resources for mitigating different threats. Given the vast amount of data available on historical terrorist attacks, and the sophistication of tools for modelling new attack methodologies, it is perfectly possible to perform a fully quantitative assessment of terrorism risks. Other risks to public safety at events can be modelled in exactly the same way, allowing resources to be directed to the risk mitigations that are most cost-effective in preventing injuries and fatalities.
It is unfortunate that this golden opportunity to drive a paradigm shift in risk management has not been seized.