Martyn’s Law: Risk Assessment Checklist for Public Safety

Written by Anneri Fourie | Crises Control Executive

Martyn’s Law Risk Assessments: What You Need to Know

The introduction of the Terrorism (Protection of Premises) Act 2025, also known as Martyn’s Law, brings a critical shift in how public venues across the UK must approach safety. The law now requires venues to conduct terrorism-specific risk assessments rather than relying on general health and safety reviews.

For many, this raises an immediate question: How do you begin assessing something as complex and unpredictable as a terrorist threat? It’s a valid concern. Many venue managers feel unsure of how to identify and evaluate terrorism risks without prior experience. The good news is, there is a structured and practical way to handle this, and the right tools can make a big difference.

This guide will break down what Martyn’s Law requires, explain how to carry out a robust risk assessment, and show how platforms like Crises Control can support you in managing and documenting this process efficiently.

Understanding Risk Assessments Under Martyn’s Law

Martyn’s Law applies to public venues that meet specific capacity thresholds. It introduces two compliance tiers:

Standard Tier: For venues with a capacity between 200 and 799 people. These venues need to carry out proportionate risk assessments focused on terrorism threats and take reasonable steps to mitigate them.

Enhanced Tier: For venues with a capacity of 800 people or more. These sites must implement more detailed assessments, put formal protective measures in place, and create written security plans.

The key principle is that all venues must understand the specific risks they face. A generic health and safety form will not satisfy the requirements. Instead, you must look at how your venue might be targeted and what vulnerabilities exist within your space and operations.

Your assessment should include:

• Clear identification of possible terrorism threats
• Evaluation of how and where your venue is most vulnerable
• Prioritisation of necessary mitigation actions
• A system for reviewing and updating your assessment regularly

What Your Risk Assessment Should Include

A comprehensive terrorism risk assessment under Martyn’s Law needs to explore four key areas:

1. Identifying Specific Threats

Think about the kinds of attacks that could realistically occur at your venue. This may include threats such as explosive devices, vehicle-as-weapon attacks, firearms or bladed weapons, and even cyber-related attacks if your venue relies on digital systems.

2. Mapping Vulnerabilities

Look at how people move through your space. Are there crowded bottlenecks? Uncontrolled entry points? Enclosed or poorly monitored areas? These are all potential vulnerabilities.

3. Analysing Impact

Consider what the consequences would be if an incident occurred. What impact would it have on your visitors, your staff, and your operations? Understanding the severity helps prioritise where to act first.

4. Mitigation Actions

Once threats and vulnerabilities are understood, define specific steps to reduce the risk. These could include:

• Physical improvements (e.g. barriers, lighting, CCTV)
• Procedural changes (e.g. staff training, evacuation drills)
• Technology solutions (e.g. real-time communication tools, incident alerts)

Actions should be practical and proportionate to the risk and size of your venue.

Step-by-Step: How to Conduct a Risk Assessment

Carrying out an effective terrorism risk assessment might sound daunting, but by breaking it into manageable steps, you can build a reliable and repeatable process.

Step 1: Create a Site Map

Start with a detailed floor plan that shows all public areas, entrances, exits, service areas and access points. This will form the basis for spotting potential vulnerabilities.

Step 2: Identify Threats and Vulnerabilities

Bring in your management team, security staff, and if possible, a local Counter Terrorism Security Advisor (CTSA). Walk through the site together and talk through potential attack scenarios and how an attacker might exploit the layout.

Step 3: Prioritise the Risks

Rank each identified risk based on how likely it is and how serious the consequences would be. This helps focus your attention on the most critical areas.

Step 4: Define and Assign Actions

Once you know your top risks, decide what needs to be done to reduce them. Assign responsibilities to team members, set deadlines, and ensure these actions are tracked and followed up.

Step 5: Keep It Up to Date

This is not a one-off exercise. Review your assessment whenever your venue changes layout, hosts a special event, or when intelligence from law enforcement updates the current threat picture.

Common Mistakes to Avoid

To make your efforts worthwhile and compliant, steer clear of these pitfalls:

• Relying solely on your fire safety or general health and safety assessments
• Using one-size-fits-all templates that don’t consider your venue’s unique setup
• Leaving assessments untouched for months or years without review
• Excluding frontline staff or local police from the process
• Failing to act on the issues your assessment identifies

How Crises Control Supports Threat-Specific Risk Assessments

Trying to manage risk assessments using spreadsheets or paper documents can quickly become messy and hard to maintain. This is where Crises Control can offer a real advantage.

Here’s how Crises Control supports you throughout the assessment process:

1. Visual Site Mapping

You can upload floor plans, mark out risk areas and track vulnerabilities directly in the system. This helps everyone involved understand your site at a glance.

2. Real-Time Collaboration

Invite colleagues, external advisors or security consultants to contribute and review assessments with live comments and annotations.

3. Task Tracking

Turn mitigation steps into clearly assigned actions. Each task comes with a deadline and status tracker so nothing slips through the cracks.

4. Automatic Version Control

Every time you update your assessment, a new version is saved. This makes it easy to show your history of compliance and continuous improvement.

5. Linked Emergency Plans

Risk findings can be linked directly to your emergency response procedures. This ensures the work you do to identify threats also strengthens your operational readiness.

6. Smart Review Reminders

Set alerts to remind your team to review and update your assessments based on set schedules or major events.

Crises Control isn’t just a place to store assessments; it helps make them living documents that evolve with your venue and the risk landscape.

A Practical Example: From Paper to Platform

Let’s take the example of a 600-capacity concert venue.

The venue conducts its first terrorism-specific risk assessment. Staff notice that one of the main entry points becomes congested before events and lacks CCTV coverage. They also realise their current evacuation plan hasn’t been tested in months.

The team works with their local CTSA to walk through the venue and identify additional issues. They upload their site map to Crises Control, mark out risk zones, and assign improvement tasks.

Changes include installing a new CCTV camera, repositioning signage to improve crowd flow, and scheduling staff patrols during busy periods. All actions are documented, assigned and tracked within the platform.

A week later, they run an evacuation drill using Crises Control’s mass notification feature. One weakness in alert activation is spotted and fixed immediately.

This kind of structured approach not only helps meet the legal duty but also increases the team’s confidence in responding to a real emergency.