•   QMS ISO9001

SIR JOHN SAUNDERS SECURITY REVIEW OF THE MANCHESTER ARENA BOMBING IN 2017

SirJohnSaunders.

SIR JOHN SAUNDERS SECURITY REVIEW OF THE MANCHESTER ARENA BOMBING IN 2017

SIR JOHN SAUNDERS SECURITY REVIEW OF THE MANCHESTER ARENA BOMBING IN 2017 500 333 SPP Solutions

Introduction

SIR JOHN SAUNDERS SECURITY REVIEW OF BOMBING in the Manchester Arena bombing in 2017 had a very profound effect on the public. It was a music concert, attended by lots of girls and young children that were tragically targeted by a suicide bomber. It was a reminder of the threat we as a nation always face, sadly highlighting that nowhere is completely safe and no one is above being targeted.

The security industry knew this. Part of security training was and remains counter-terrorism.

Part 1 of Sir John Saunders report has been released and I want to focus on the security provision and the failings of that provision that lead to the deaths of 22 people.

Incidents like this rarely happen without warning, and Manchester is no exception to that rule. Missed opportunities ultimately lead to the loss of life of innocent concertgoers, in what should have been a joyous and celebratory event. 

You can access the full report here, and I will be more than happy to discuss any of my personal views on anything raised in this post. 

Preface

In June this year, Sir John Saunders published Part 1 of his report into the security provisions and the security failings leading up to the 2017 Manchester Arena suicide bombing. 22 people lost their lives at the end of the Ariana Grande concert, and I believe this was avoidable.

Sir John Saunders said: “It should not be necessary to have security to protect us from murderers who have formed the intention to kill innocent members of the public, including children, in pursuit of their distorted beliefs but, while the terrorist threat remains, and it shows no sign of going away, we do need to have in place protective measures which provide security against the threat, but do not prevent us enjoying the freedoms which are part of our way of life.”


Salman Abedi detonated his device at 22:31 on the 22nd of May, 2017. The explosive element of his device was surrounded by nuts and bolts which added to the shrapnel effect of the detonation and took the lives of 22 innocent people – the youngest of which was 8 – in what people would expect to be a secure environment. 

Opportunities were missed to prevent, or at least disrupt and deter the attack on Manchester Arena. Given the security and terror threat level in the UK at the time – severe – an attack is highly likely – how was this allowed to happen? There were failings at every level, as highlighted in the report, and it does make hard reading especially when so many of the operational shortcomings were totally avoidable.


“At the time of the Attack, the Arena was operated by an organisation which I will refer to as SMG. SMG is a large entertainment business. SMG had contracted with Showsec, a company specialising in crowd control, to provide crowd management and event security for the concert on 22nd May 2017. Policing for the Victoria Exchange Complex, including the area in which the attack was carried out, was provided by British Transport Police (BTP). Greater Manchester Police (GMP) provided a Counter Terrorism Security Advisor (CTSA) to SMG who had provided advice to SMG in the years leading up to the Attack.

SMG, Showsec and BTP are principally responsible for the missed opportunities. Across these organisations, there were also failings by individuals who played a part in causing the opportunities to be missed.”


So have lessons been learned? As a training provider, security professional and consultant I’d have to conclude that some lessons have been learned. In attending any venue in the UK for social or leisure activities, you absolutely take your life into your hands. Venues and Security providers will say the right things and tell members of the public how they are looking after their security, but the reality is very different.  

In 2017 as it is today, the threat was very real. On the 22nd of March, Khalid Masood drove his car across Westminster Bridge, killing pedestrians before fatally stabbing PC Keith Palmer in Parliament grounds. Therefore, security should have been top of the agenda on May 22nd of the very same year, just eight weeks after the Westminster attack.

What went so tragically wrong on the 22nd of May in the lead up that lead to such a devastating loss of innocent life?

The Security Industry Regulator

The regulator of the security industry is the SIA. It’s the SIA that set the standard for anyone wishing to work within the industry, in line with the provisions of the Private Security Industry Act (PSIA) of 2001. Anyone wishing to obtain a licence to work in any of the license sectors must complete accredited training, so the SIA grants training oversight to awarding bodies, such as City and Guilds. 

These awarding bodies are Ofqual regulated and operate to SIA qualification requirements. In turn, the awarding bodies have training providers aligned to them. The training provider must go through a lengthy process of application before they are then given Centre status and allowed to deliver training on behalf of the Awarding Body – which in turn ensure that the SIA requirements are met.  

Foolproof, eh?

The SIA set parameters, including maximum class size allowed, guided learning hours, English competency, and identification requirements for each qualification through a course specification document. It’s the responsibility of the training provider to ensure the course specification is followed, and the responsibility of the awarding body to audit adherence to the specification.

As well as licensing Individuals the SIA manage and run a scheme called the Approved Contractor Scheme (ACS). The aim of the scheme is to give reassurance to businesses that are sourcing security. If a security company appears on the ACS, it’s viewed as legitimate, above-board, accountable and audited by the SIA – and therefore has a “badge of honour” amongst security companies in the UK.

As a regulator, the SIA also carry out unannounced visits to security companies and individual licence holders to ensure their legitimacy to work. A lot of this focus is on the night-time economy such as door supervisors.

The wider Security Industry

Security in this country is often viewed – wrongly – as something that “anyone can do”. Namely, you don’t need training, it’s common sense and people that work in security do so because they don’t have the academic ability to do anything else. At the other end of the security spectrum, we have University courses leading to degree level qualifications in areas such as Security and Risk Management as an example. Security is not learnt at university. People can get promoted into security management positions with little or no direct security experience. 

The security industry is poorly paid, attracting a lot of migrant workers. The Job Centre will enrol people onto a security licensing course, just to get them into employment – and so the wheel goes round.

Security Companies

Security companies are not generally interested in how an individual gained their licence or the quality of the training they received. Instead, the key employment driver for the company is that they simply have a licence.

Companies win contracts to provide security on a client’s premises and negotiate the extent of the provision required; including the number of personnel needed to fulfil the obligation. Very often the client – with no security background or knowledge – will dictate the number of officers needed. 

Security companies run lean and focus on the bottom line. Once they have a contract, they will not wish to spend any more on training, CPD or advancement of officers and will do the absolute minimum required to keep the client happy. Security officers are generally very poorly paid and often poorly trained, although they do have licenses in most cases.

The only legislative requirement within the industry is initial security training. Once someone has completed that training and has their license then there is no requirement for any refresher of follow up training to renew their license every 3 years for example. Anyone with a license within a sector that a security company needs such as Door Supervisor for example is pretty much guaranteed employment. The company must carry out security vetting of the Individual they wish to employ.

Security Training Providers

Training providers who deliver the licensing training also have a huge responsibility. Training providers are the gatekeepers of the industry. They must ensure candidates fit SIA requirements in terms of their ability to read, write and speak English and meet the ID (identification) requirements before they sit the relevant course. How many “security professionals” have you had dealings with that cannot speak English or communicate to a satisfactory level? 

The security qualifications have recently changed quite considerably – as of the 1st of April 2021. Anyone who is already a license holder in the Door Supervision or Security Guarding Sector will have to complete “top-up” training, as of the 1st October 2021, to stay in line with the new training courses. Anyone renewing before the 1st October 2021 will just reapply for their license and if they still meet the SIA requirements, will be re-issued a license for another 3 years.

Personally, I remember going to a meeting with a large, well-known security provider to offer training and consultancy and was told by the Director (with lots of letters after his name and now working for a national security provider) that “I wouldn’t pay a penny for training if I didn’t have to”.

You can start to draw your own conclusions as to how safe you are.

“The Inquiry heard criticisms from two witnesses about the quality of the training they had received. In one case, none of the training was in person. In another, the candidates were told the answers to the exam questions by the training provider.

Making sure that the training is done properly and professionally is obviously important. The SIA should make sure that there are regular and unannounced checks carried out on training providers.

I heard evidence that the awarding organisations do this already, but it would also be worthwhile for the SIA or Ofqual to consider carrying out spot checks with SIA‐licensed individuals who have received the training to get a better idea of what actually happens.”

Many of those in low paid roles or unemployed will search for the most affordable training courses available – the bare minimum to be eligible to apply for a license on completion. Therefore, some training providers will offer the bare minimum to satisfy this, not paying much consideration to the quality of the training.

Why don’t awarding bodies seek out these charlatan providers?

In fairness all the awarding bodies I have been aligned to have and will seek out training providers that are not adhering to SIA guidelines on training provision – however, there seems to be a caveat. 

There was a national training provider called ‘Get Licensed’ who were known in the training world to be doing things against the rules. Because they were working nationally, they were spending an awful lot of money with awarding bodies on exam papers, so the perception was that the awarding bodies turned a blind eye to their activities so as not to lose the revenue generated by ‘Get Licensed’ buying exam papers at £35-£40 per person.

Had it been a small provider that was spending very little in comparison then they would have been sanctioned straight away. ‘Get Licensed’ were eventually removed as a training provider, but not before the SIA revoked some 2000 licenses nationally that people (searching for cheap training) had paid Get Licensed for. Subsequently, those people had to pay for another accredited training course in a set timescale to get their licenses back from the SIA. A license is currently £190.

Venues

Venues whether big or small are basing their security provision purely on price. The industry is great at fighting its way to the bottom and by that, I mean that if provider “A” comes in at a price that the venue deems to be excessive then there will always be a provider “B” that will do it for less. The result is that the staff will end up doing excessively long hours, in poor conditions for minimum pay. If the staff voice adverse opinion, then the company will get rid of them – there are plenty more license holders that will fill the shirt.

I hope you can see the pattern here. 

Security Systems Installers

One area not mentioned above but very relevant to what happened in Manchester is CCTV coverage. It was found that there was a “blind spot” in the CCTV system and that Abedi exploited this and moved to the blind spot to conceal himself from view. CCTV is obviously a surveillance tool; tool being the operative word. It doesn’t make anywhere any safer, it merely affords the opportunity to surveil an area without having to have security personnel there. It doesn’t matter how good the cameras or system is;  if the operators are not well trained, motivated and rotated regularly then CCTV is operationally useless. So why would there be a blind spot?

CCTV installation is a professional and technical process. There is a myriad of firms that call themselves installation specialists, but few that live up to their hype. Part of the process of installation – done before cameras are put up – is Operational Requirement (OR). This is essentially a plan, a series of questions and walkarounds to determine where cameras are needed to meet the operational aims of the system. A good OR is the difference between a good effective system or a poor one. 

I have never been to Manchester Arena or seen the CCTV, but as soon as a blind spot is mentioned then alarm bells ring. Sometimes blind spots are inevitable but very often they can be overcome with a good OR. If a blind spot is inevitable then that is a security risk and an area that any security provider should highlight as needing a visible security presence and deterrent (if the decision-maker has any security awareness).

“However, had the CCTV system covered the Blind Spot and been properly monitored, there would have been heightened sensitivity to SA’s presence. 

His return to the City Room at 21:30 would then have been seen as significant by those responsible for monitoring the CCTV. Abedi, dressed in black, crouched down upstairs for nearly an hour, occasionally praying before he walked down to the foyer”.

There is a lot of industry background given above and I think that’s hugely important. It provides context to the Manchester Arena tragedy from a professional point of view. 

The failings

Most CCTV systems will only keep recorded data for 31 days, at which point it is overwritten meaning that most CCTV systems have 31 days of historical footage to call upon in the event of any investigation. Footage from the Manchester Arena system would only have given an insight into what happened over the preceding 31 days if indeed it was keeping its footage for 31 days. 

During the investigation into the events leading up to the attack including looking at historical CCTV footage Abedi had visited Manchester Arena on 3 separate occasions This was part of his Hostile Reconnaissance (HR) plan. Visiting the venue to look at security provision, CCTV, layout, exits, entrances, police presence etc.

Manchester-born Abedi, of Libyan descent, walked across the City Room foyer of the venue towards the main doors and detonated his shrapnel-laden device, packed into his bulging rucksack, at 10.31pm on May 22 just as thousands, including many children, left the concert.

The inquiry was told he made three reconnaissance trips to the venue, adjoining Manchester Victoria rail station, before his fateful last journey and security experts considered he may have noticed a CCTV blind spot on the raised mezzanine level of the City Room.

HR is a very real part of the terrorist attack planning cycle and has been found (retrospectively) to have taken place on most if not all terror attacks. 

Why aren’t they caught?

The simple answer is because they are very good at what they do coupled with the fact that they understand security shortfalls. Most CCTV operators are reactive meaning that they react to CCTV only when something happens. Operators should ideally be proactive and by being proactive and inquisitive they stand the best possible chance of spotting HR.

The other big factor and especially In the CCTV world is the hours that operators are expected to work in a Control Room (CR) The adult attention span (subjective but generally) is 30-40 mins so the longer someone sits in an environment that requires higher levels of concentration the less they will be able to observe and the easier they are distracted which then makes them reactive.

I have provided training and consultancy in some very high-security environments where operators have done no more than 30 minutes in front of the monitors.

The two operators at the Manchester Arena were not trained but had asked for training and were told they didn’t need training because they were “in-house” security staff. At least one of them was required to be trained and licensed. We are back to the money aspect of the industry. How can it possibly be right that CCTV operators can use CCTV in such a venue with absolutely no training?

Effectively we have a 2-tier security system in the UK. If you work for a security provider and are contracted to a venue, then you require an SIA license to work legally. If you are a security operative and are employed to provide security for the employer on their premises, then you don’t need a licence. We now have people who are trained and people who are not trained in security duties.

The SMG groups were SMG Europe Holdings and SMG (UK). Between them, SMG Europe Holdings and SMG (UK) carried out the two parts of the SMG group’s activity. Those two parts were facilities management and the running of events. The intention was that SMG Europe Holdings would be responsible for facilities management and SMG (UK) would be responsible for events.

SMG had their own in-house security team so didn’t (according to Law) need to be licensed but at the time of any events being hosted at the arena the in-house security team needed augmenting with an outside contractor which in this case was Showsec. Showsec is a large national security and events company with some 4000-casual staff at their disposal. Showsec is part of the SIA run ACS. At the time of the Manchester Arena bombing, Showsec had used unlicensed staff and had done so knowingly. This is a Criminal Offence under the provision of the PSIA 2001. Sir John Saunders noted the following:

“The SIA also runs an Approved Contractor Scheme (ACS) which operates on a voluntary basis and has around 800 members.

Showsec is an approved contractor and have played a prominent part in setting up the scheme.

That makes it even more regrettable that, for a period of years, it has been allowing its unlicensed staff to carry out bag checks, even when Showsec knew they ought to have licences. The ACS appears to be principally self‐certifying, but assessors do appraise the conduct of the contractors concerned.

If the ACS is continued or expanded, it is important that the ACS brings with it a quality assurance on which the public can rely”.

The report goes into far more extensive detail of how the SMG group of companies shared responsibility internally and the contractual obligations with the external security provider namely Showsec.

On the night of the 22nd of May a concerned member of the public, Christopher Wild, approached one of Showsec security staff nearby to alert him to the fact of SA acting suspiciously.

“A concerned Christopher Wild, waiting with his partner to pick up his daughter, earlier approached Abedi upstairs and said he asked him what was in his rucksack, but he did not reply. When further pressed, Abedi told him he was “waiting for someone” and asked for the time.

Mr Wild thought “nervous” Abedi looked out of place and raised his concerns at about 10.15 pm with Showsec steward Mohammed Agha, who was guarding an emergency exit, but told the inquiry he felt “fobbed off”.

It was another eight minutes before Mr Agha relayed the concerns to colleague Kyle Lawler as the former had no radio to the security control room and did not believe he could leave his post, the inquiry heard.

Giving evidence, Mr Lawler said he had a “bad feeling” as he eyeballed Abedi but did not approach him as he did not think he had enough evidence and also feared being branded a racist.

He claimed he could not get through to the control room on his radio and agreed he simply “gave up” as he took up his position on a walkway bridge to the City Room.

Two independent security experts told the hearings they did not believe Mr Agha, then aged 19, and Mr Lawler, 18, at the time, were adequately supervised or trained”.


When a member of the public is finding an individual’s activity suspicious then surely the security teams should be onto it straight away because remember we had (at the time) a Terror Threat Level which was Severe, meaning an attack was highly likely.

Public venues and large public gatherings are high-risk, and as such the venue and Showsec should have known, understood, and responded to the threat proportionately. and adequately Greater Manchester Police (GMP) Counter Terror Security Advisors (CTSAs) had been consulting with SMG.

Mr Lawler, one of the guards involved “feared being branded a racist” This is a sad reminder of the world we live in. One word fits all here, justification. Suspicious activity is just that, suspicious, so irrespective of Race Religion or Ethnicity suspicious behaviour should be confronted and suspicions give justification.

Since the tragic events of the 22nd May 2017, SMG made the following statement.

“All of us at Manchester Arena have learnt a lot since the events of that night and our security measures continue to evolve to reflect the threats we face today. Since the attack, we have further extended the security perimeter, adopted a more intensive approach to checking and searching including the use of walk-through metal detectors and installed a new CCTV and access control system.

Sounds good? 

Looking and reading that statement, I would say it’s the typical corporate response and you don’t have to do much searching to see similar responses to historic events where there has been a major loss of life and not just terror-related events. The threats today are pretty much the threats that existed in 2017.

Technology is not always the answer. While technology can provide an advantage, it shouldn’t be relied upon as being an absolute game-changer. Technology is only as good as the people that are using it so people become the game-changer. Well trained, motivated, and valued staff are far more effective than technology but when coupled with technology that’s what can make a huge difference.

Part of the terrorist attack planning cycle is HR. That hasn’t and won’t change. HR is designed to find and exploit weaknesses in security, access, process, and technology. Having well trained, well motivated and valued staff is worth far more than technology.

Conclusion

Manchester Arena is a sad reminder of the threat that we all face domestically in 2021. Most terror-related incidents in recent years have been at the hands of Muslim extremists. Does that mean all Muslims are terrorists? Of course not, it’s preposterous to even contemplate some kind of commonality here in the wider muslim population.

Should we apply caution and awareness to all individuals as security professionals? Absolutely. Sadly, we do live in a self-imposed fear – as Mr Lawler showed – whereby people sometimes don’t act out of fear of being placed into a fixed ideological box, namely racist in this instance. But that can’t stop us from being careful. Being cautious and suspicious does not mean providing a second-class service, or being rude or obnoxious in the delivery of the security service. It does mean remaining vigilant and aware of the threat. We need to make the big calls – often  in order to ensure protection of life. 

In 1984 the Provisional Irish Republican Army (PIRA) made a statement in the wake of the Grand Hotel bombing in Brighton that was orchestrated to murder the then Prime Minister, Margaret Thatcher:

“Today we were unlucky, but remember we only have to be lucky once. You will have to be lucky always”

That statement rings as true today as it did 37 years ago.

Security must evolve. Long gone are the days of security being “night watchmen” and “shirt fillers”. The threat is real, and we need a real response. Being a security professional and passionate about security at all levels, I would hope that serious lessons are learnt here. 

You can view our professional security training courses here.