From Compliance to Capability: A case study of PDR

The name of this venue has been anonymised for security purposes. Where exact information was not available, informed judgements were used.

Introduction

In the current threat landscape, protective security for large, publicly accessible theatres is no longer just about physical measures. It is about defensible resilience – the ability to understand risk, justify security decisions, and demonstrate that arrangements are proportionate and actively managed.

A recent assessment of a London theatre, classified as an Enhanced Duty Premises under the Terrorism (Protection of Premises) Act 2025 (Martyn’s Law), illustrates this shift in practice. The assessment identified a High quantitative threat context, reflecting environmental exposure associated with location, crowd dynamics, and surrounding infrastructure rather than a specific or imminent threat.

The significance of the findings lies in the response. While the theatre demonstrated strong resilience capability in deterrence and recovery, the assessment also identified 30 targeted improvement measures to strengthen planning, detection, and prevention. Through the application of the Protect Duty Compliance and Audit Report (PDR), these findings were translated into a structured, auditable improvement pathway, showing how Martyn’s Law compliance can operate as a practical framework for continuous security improvement rather than a tick-box exercise.

Background

This case study relates to a large, publicly accessible theatre in central London, anonymised for security purposes. The venue hosts scheduled performances accommodating over 1,000 people at a time and operates within a dense urban environment characterised by sustained pedestrian activity and extensive transport connectivity.

Due to its function, capacity, and public accessibility, the theatre is classified as an Enhanced Duty Premises under the Terrorism (Protection of Premises) Act 2025 (Martyn’s Law). Under Martyn’s Law, the theatre must assess terrorism risk, maintain appropriate public protection procedures and measures, and take proportionate steps to reduce the risk of harm to the public.

The Compliance Challenge

Martyn’s Law compliance requires Responsible Persons to demonstrate that their security arrangements are risk-informed, proportionate, clearly documented, and actively maintained. The challenge for venues is not simply implementing protective measures, but evidencing that they are justified, consistent, and subject to review.

The theatre therefore required an approach that integrates terrorism risk assessment, resilience evaluation, procedures, measures, and improvement planning into a single, record capable of supporting regulatory scrutiny and governance.

Using PDR

An assessment was completed online using Assess Threat’s secure platform, using a yes/no question format. The questions correlate with the requirements of Martyn’s Law and the security questions relating to procedures and measures are aligned to guidance from the National Protective Security Authority (NPSA) and ProtectUK.

PDR assessed terrorism risk by combining background risk with premises‑specific factors, including location, visibility, online presence, and proximity to high‑risk assets. This produced a risk profile that reflects the theatre’s operating context.

From this foundation, PDR evaluated resilience across an attack cycle, documented procedures and measures, and identified areas for improvement. It provided a coherent, auditable framework against which protective security decisions could be made and reviewed.

Understanding Risk in Context

PDR identified a quantitative Threat Score of 74.6 out of 100 (High), combining background and asset‑specific risk.

The background risk rating was assessed as Moderate, informed by historical terrorism data. Between 2001 and 2024, 1,319 terrorist attacks were recorded nationally, including 57 incidents within 10 km of the theatre’s location. Over the same period, 41 attacks targeted assets in the Arts, Entertainment, and Recreation sector, evidencing that this category of venue has been affected historically.

The theatre’s asset-specific risk score of 60.0 (Moderate–High) reflects features that increase exposure, including predictable event schedules, concentrated crowd volumes, strong public visibility, and proximity to a dense network of transport facilities and other high-risk assets. These factors increase indirect exposure and potential consequences, even where the theatre is not the primary target of an attack.

The high threat score does not indicate an imminent threat but provides a defensible rationale for maintaining structured protective arrangements. By separating background risk from premises-specific drivers, PDR supports informed decision-making and justification of security measures based on exposure rather than assumption.

Assessing Resilience and Preparedness

A central focus of the PDR is resilience: the ability of a premises to reduce harm where possible, manage an incident in progress, and stabilise operations afterwards. Resilience was assessed across seven capability areas covering the pre-attack, attack, and post-attack phases.

For this theatre, the resilience assessment showed strong capability in deterrence and recovery (both scoring 100 out of 100), alongside high scores in protection (80.49) and response (84.38). These results reflect established arrangements for visible security, incident management, and post-incident stabilisation, indicating that the theatre is well positioned to manage and recover from an incident if one were to occur.

Lower scores in planning (68.42), detection (79.45), and prevention (76.32) indicate opportunities to strengthen pre-incident capability. These findings relate to how risk is documented and embedded into planning processes, how potential threats are identified, and how some preventive measures are applied consistently across the site.

These results distinguish between established capability and targeted gaps, enabling proportionate enhancement without undermining existing arrangements.

Recording Procedures and Measures

To support compliance with the Act, PDR documents public protection procedures and measures in a structured, auditable format.

Procedures covering evacuation, invacuation, lockdown, communication, and organisational arrangements are recorded alongside measures relating to monitoring, movement, physical security, and information security. Each is recorded as implemented, partially implemented, or not implemented, with review/test dates captured.

This evidences that arrangements are actively managed rather than static documents and directly informs prioritisation of improvements.

Targeted and Proportionate Improvements

Based on the assessment findings, PDR identified 30 proposed public protection measures, arising from areas assessed as partially implemented or not implemented. Each proposed measure corresponds to a specific gap identified in the theatre’s security arrangements.

The distribution of proposed measures shows that most foundational controls are already in place. Remaining gaps relate primarily to consistency, coverage, and reliability of existing arrangements, rather than the absence of core controls. These gaps are most evident within planning, detection, and prevention, where resilience scores for this theatre were lower or mid-range.

Each proposed measure is mapped to the resilience capability it strengthens and assigned a priority of Critical, Recommended, or Best Practice, providing a clear basis for prioritising resources and directing effort to the areas of greatest impact. The proposed measures are recorded within an interactive register, allowing implementation decisions to be documented, responsibility to be assigned, and progress to be tracked over time. This creates a clear and auditable record of compliance and improvement.

It is recommended that each proposed measure is reviewed by the Responsible Person before implementation, as some measures may be assessed as not applicable, disproportionate in terms of resource or cost, or unlikely to materially reduce risk, and may therefore be reasonably avoided with a documented justification. Risk management is about identifying and managing risk to proportionate and manageable levels rather than attempting to eliminate risk entirely, strengthening the organisation's position over time.

For example, while structural hardening measures such as ballistic or blast-resistant treatments may be listed for consideration, a Responsible Person may determine that these are constrained by the building’s design or heritage status and is not an applicable risk improvement measure for the premises.

Similarly, where vehicle mitigation measures are proposed, site-specific analysis can be used to inform implementation decisions. In this case, an Automated Hostile Vehicle Vector Analysis (AHVVA) assessment was undertaken to assess vehicle-borne attack feasibility in areas outside the venue where patrons gather prior to events and where no permanent vehicle safety barriers are currently in place. The results showed that vehicle-borne risk to these areas was low, and permanent hostile vehicle mitigation was not required. This provided an evidence-based alternative to commissioning additional consultancy or installing unnecessary physical measures.

Supporting Ongoing Security and Compliance

PDR is designed to support ongoing compliance, rather than acting as a one-off assessment. For this theatre, it provides a baseline record that can be reviewed and updated as conditions change, procedures are exercised, or improvements implemented. Outputs, including risk profiles and prioritised measures, can be incorporated into the theatre’s wider security plans and organisational risk management processes, ensuring terrorism risk is managed as part of overall organisational resilience.

This enables duty holders to demonstrate that protective arrangements are kept under review, actively managed, and proportionate over time, in line with statutory requirements.

Conclusion

The findings from this assessment provide the theatre with a clear and prioritised roadmap for the period ahead. With nine actions identified as Critical, alongside further Recommended and Best Practice measures, the next steps for strengthening protective arrangements are clearly set out.

The assessment shows that the theatre already demonstrates strong capability in deterrence, response, and recovery, while also highlighting opportunities to strengthen planning and detection, where improvements can meaningfully enhance preparedness before an incident occurs.

Taken together, the case study demonstrates how the PDR supports a practical, ongoing approach to protective security, enabling the theatre to maintain proportionate, risk-informed arrangements that continue to protect the public as conditions evolve.