Retailers: Get Ready for Protect Duty

- new legislation creates a requirement for most retailers with public access to ensure preparedness for and protection from terrorist attacks

In early 2023, Protect Duty – the newly proposed legislation for public places to ensure preparedness for and protection from terrorist attacks – is expected to come into law. For the many retail spaces accessible to the public, the introduction of the Protect Duty legislation will lay down a raft of new security and safety obligations. Retailers need to start preparing now to understand what their obligations are likely to be under the new legislation and establish where their own organisation is in relation to the requirements, the path to compliance, and what the implications might be for their insurance programmes.

Spaces Vulnerable to Terrorism

With a business model that is predominately based on free access and with a minimum of control on those who enter, retailers are one of the more challenging sectors when it comes to considering how to actively manage access to and from their site. It’s no surprise that in its consultation, Protect Duty refers to large organisations with more than 250 employees across all sites (e.g. retail, or entertainment chains) as in scope for the legislation. Smaller retailers should also consider the benefits that complying with the legislation will have on consumer confidence and footfall, particularly if there is an overt “safety rating” employed. Yet, it could be that given 28% of the Protect Duty consultation’s respondents suggested that organisations with any number of employees should be included, then they may also be required to comply.

The New Measures

What exactly retailers will have to do to meet Protect Duty requirements is still to be confirmed but it is likely every organisation over the threshold will need to make sure that their starting point is a thorough risk assessment undertaken by a competent person, that they have developed a robust plan on how to deal with a terrorist attack, and ensured that staff are trained and aware of threats, likely attack methods, and how to respond.

The Government has also identified potential “appropriate and proportionate” security measures associated with Protect Duty which could include the use of available information and guidance provided by the Government and the Police to consider terrorist threats to the public and staff at locations owned or operated. In addition, there is a requirement to assess the potential impact of these risks across functions and estate, and through systems and processes, as well as a need to consider and implement “reasonably practicable” protective security and organisational preparedness measures.

The new legislation is also likely to reinforce many existing, good practices around risk assessments and security delivery, though that’s not to say there won’t be a need for additional effort and spend. All retailers required to comply will see increased workload in the short to medium term to demonstrate they are aligned with Protect Duty; from risk assessments, through to investment in training, daily delivery and how they would manage the response to an attack before the arrival of the emergency services.

Top Considerations for Retailers

Protect Duty is putting in place minimum levels of preparedness for retailers that should help discourage attacks by identifying hostile reconnaissance, and then mitigating the impact of any event by ensuring a joined-up response from retailers and the emergency services. While not yet in law and given the importance of a retailer’s brand and reputation – the safety of staff and customers being paramount - there are steps that retailers can take now to understand Protect Duty’s requirements; for example, key internal stakeholders – including finance, HR, life safety (security), and insurance – can be brought together now to manage internal expectations – as a minimum these roles will be utilising time to understand the requirements and their path to compliance, once the detail is published. The closer issue to address will be the renewal of their Casualty insurance programme, which markets have already indicated will be affected for PAL (Publicly Accessible Locations) exposed entities.

Protect Duty will need to be wrapped into the annual cycle of assessment and audit of risk, alongside wider health and safety activity. Within the urban environment this may require coordinating both security delivery and response between several spaces; local authorities may have a role in facilitating this coordination. As a minimum, retail organisations will see additional training requirements for staff, and for some, technology investments as well as routine internal (and potentially external) audits of related activity.

Insurance Implications

Clearly the purpose of any life safety programme is to safeguard lives rather than simply to avoid potential liability. But, good engagement with Protect Duty will reduce the chances of poor response to an incident and the potential for negligence. And insurers will undoubtedly require additional information from insureds, material information on the quality of the risk management in place; arguably enabling differentiation between peer organisations when the markets are pricing for renewal.

When considering financial resilience, an attack may generate impacts that are covered by property damage/business interruption (PDBI) related insurance solutions. Understanding the financial impact of non-damage events (typically, the impacts from non-explosive events) will help retailers decide whether broader insurance should be arranged for non-damage BI coverage.

When there is potential for people to be affected within a retailer’s location, the potential for claims of negligence and possible liability must also be considered. Liability claims may not be about stopping the event but could focus on how an insured prepared for the impacts from these events as well as how they responded to limit the impact on the people within their space. In the insurance context, Protect Duty is primarily a Casualty programme consideration.

Start Your Renewal Early

Protect Duty is likely to become a legal requirement within the UK in 2023 and early engagement will reduce unanticipated operational and financial impacts and improve its integration into risk management activities. Aon can support our clients understand where they are in relation to the legislation (when it’s published), in addition to mapping out the “path to compliance” aligning risk management & Life Safety efforts with the aims of the Protect Duty legislation.

Retailers should begin discussions with their insurance broker outside of the usual Casualty programme renewal cycle, to give more time and space to understand and manage the additional information requirements from underwriters and allow clients to differentiate the quality of their risk management. The renewal of PALs’ Casualty programme is likely to be sooner than their requirement to demonstrate compliance with the Protect Duty. Aon has a number of proprietary solutions available to complement or back-fill Casualty programmes, should market appetite shift significantly for certain insureds.

​Whilst care has been taken in the production of this article and the information contained within it has been obtained from sources that Aon UK Limited believes to be reliable, Aon UK Limited does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the article or any part of it and can accept no liability for any loss incurred in any way whatsoever by any person who may rely on it. In any case any recipient shall be entirely responsible for the use to which it puts this article.

This article has been compiled using information available to us up to 21/12/23.

Aon UK Limited is authorised and regulated by the Financial Conduct Authority. Registered in England and Wales. Registered number: 00210725. Registered Office: The Aon Centre, The Leadenhall Building, 122 Leadenhall Street, London EC3V 4AN. Tel: 020 7623 5500.

FPNAT662