ALARP in Risk Management: Practical Steps to Reduce Identified Risks Cost-Effectively

A critical stage in any risk management process is moving from identification of threats to the application of proportionate controls. This article focuses on practical actions that can be taken once risks have been identified, particularly those involving terrorism and vehicle-borne attacks. The emphasis is on no-cost and low-cost measures that help reduce risks to a level that is As Low As Reasonably Practicable (ALARP), while fulfilling the primary duty of care under work health and safety legislation. These steps also illustrate why structured tools, such as interactive tables for risk tracking and decision documentation, are valuable in the process.

Understanding the ALARP Principle

ALARP requires that risks be reduced to a level that is as low as reasonably practicable. This means implementing risk reduction measures unless the time, effort, or cost is grossly disproportionate to the benefit achieved in terms of risk reduction.

The principle originates from UK health and safety legislation (Health and Safety at Work etc. Act 1974), where it is expressed as "so far as is reasonably practicable" (SFAIRP). The assessment involves balancing:

• The likelihood of the hazard or risk occurring.

• The degree of harm that might result.

• What the duty holder knows (or ought reasonably to know) about the hazard, risk, and available ways to eliminate or minimise it.

• The availability and suitability of control measures.

• The cost of those measures, including whether it is grossly disproportionate to the risk.

In security applications, such as protecting facilities against vehicle-as-a-weapon threats or terrorism-related risks, ALARP supports responses that are proportionate rather than absolute. Complete elimination of risk is not required when further reductions would be grossly disproportionate.

The Role of Risk Management

Risk management systematically identifies threats, evaluates their likelihood and consequences, and applies controls to bring risks to a tolerable level that satisfies ALARP. The objective is not to remove every risk at any expense, but to manage them in a balanced and defensible way. This approach builds organisational resilience over time, as early controls establish a foundation for continued monitoring and future improvements.

No-Cost and Low-Cost Actions After Risk Identification

Once a risk assessment has highlighted specific vulnerabilities, many effective controls can be put in place with no additional financial cost or only minimal outlay. These typically rely on administrative and procedural measures within the hierarchy of controls. Practical examples include:

• Procedural updates: Revise existing access control procedures, visitor registration processes, or delivery and loading protocols to reduce exposure at identified vulnerable points (for example, limiting vehicle access to high-risk zones during peak periods). Implementation involves internal review, staff communication, and updates to current documents. Cost: Nil.

• Staff awareness and briefings: Deliver briefings during routine team meetings or through existing communication channels on indicators of suspicious vehicle behaviour, such as prolonged loitering near perimeters or reconnaissance activity. Use free guidance published by government agencies (for example, the National Protective Security Authority (NPSA), Australian Federal Police or state police resources on hostile vehicle mitigation). Cost: Staff time only.

• Site layout adjustments using existing assets: Reposition current bollards, signage, temporary barriers, or parking zones to create greater stand-off distances or obstruct preferred attack routes. This may require only minor re-marking of lines or relocation of movable items. Cost: Nil or minimal (for example, staff labour for repositioning).

• Information sharing: Strengthen or establish regular contact with local law enforcement, neighbouring organisations, or industry groups to exchange threat intelligence and coordinate on emerging risks. This can utilise existing community or sector networks. Cost: Nil.

These procedures and measures can produce immediate risk reduction and should be recorded, including the rationale for their selection and an assessment of any remaining residual risk.

Demonstrating Duty of Care and Compliance

In the United Kingdom, Martyn's Law (Terrorism (Protection of Premises) Act 2025) establishes a statutory duty for publicly accessible premises and events. As of January 2026, it is in transition (full requirements expected ~April 2027).

It applies a tiered system:

• Standard tier (200–799 people): simple, low-burden actions like staff awareness and basic procedures using free ProtectUK guidance.

• Enhanced tier (800+ people): risk assessments and reasonably practicable measures.

This Act emphasise proportionate controls (often no-cost or low-cost), documentation of decisions, and alignment with ALARP to show compliance and duty of care has been met.

Starting with practical actions after risk identification, combined with clear records, provides strong evidence of reasonable and proportionate management for audits, inquiries, or insurance purposes.

The Role of the Risk Action Plan Table

This is why Protect Duty Solution's reports include an interactive Risk Action Plan table.

The table is designed to translate risk findings into practical, trackable actions. It allows users to:

• View identified risks alongside suggested treatment options

• Assign actions based on cost, complexity, and priority

• Distinguish between immediate, low-cost measures and longer-term improvements

• Record implementation status and review outcomes

Rather than presenting risk assessment as a static document, the Risk Action Plan supports an ongoing process of improvement. It makes it easier to demonstrate that risks have been considered, actions have been selected deliberately, and progress is being monitored over time.

Importantly, it reinforces that effective risk management does not start with expensive solutions – it starts with reasonable ones.

Looking Ahead

Once risks have been identified, organisations can make meaningful progress toward ALARP by prioritising no-cost and low-cost actions such as procedural revisions, staff briefings, layout adjustments using existing assets, and enhanced information sharing. Under Martyn’s Law, these types of measures demonstrate that reasonable and proportionate steps have been taken to reduce the risk of terrorism.

Structured tools, including interactive tables, help organise the process, maintain clear documentation, and track progress. For organisations seeking to apply these principles in the context of terrorism and vehicle-borne threats, practical implementation of these steps provides both immediate risk reduction and a strong compliance position.