A Venue Owner’s and Operator’s Guide to Protecting Places of Mass Gathering

How to define places of mass gathering

What’s a place of mass gathering? And how do you know if you have the legal responsibility to protect the one you own or operate? The answers are more complex than you’d think. For starters, the risk designation, place of mass gathering, is extrinsic to the core function of the venue – contrast that with the term, critical infrastructure, which designates assets, systems, and networks vital to physical or economic security and/or public health or safety. 

Indeed, what actually qualifies a venue as a place of mass gathering is that it has the high potential to inspire terrorist attacks. Of course, it only becomes so by concentrating large numbers of people (usually in larger cities) in accessible placesⁱ.

It’s this very potential for venues to become places of mass gathering that presents such a stark safety and security challenge for owners and operators. Those internal stakeholders must contend with the fact that high-population densities can congregate in their venues at both regular and unpredictable times. Then, by dint of being highly accessible, those publics present bad actors with the opportunity to inflict mass casualties, cause mass economic damage, and instill public fear. 

While serious, though, these safety and security challenges aren’t insurmountable. Indeed, safety and security risk is relative – not all venue owners and operators will be implicated. Some facilities are simply more likely to inspire terrorist attention than others. Which ones? Public safety and law enforcement agencies have traditionally considered the following venue to be of higher relative risk:

• Sporting venues
• Commercial precincts (shopping and business
• Significant tourism and entertainment venues and attractions
• Hotels and convention centers
• Public transportation hubs
• Major events

A word on major events: major events count as places of mass gathering. Nevertheless, places of mass gathering aren’t reducible to major events. Major events are largely one-off (rather than ongoing) occurrences that concentrate large numbers of people on a fairly predictable basis. Further, major eventsⁱⁱ, whether international summits, political conventions, large-scale sporting events, or music festivals, are often political, social, or religious in nature, making them outsized targets for terrorist attackⁱⁱⁱ. 

It’s this high level of risk that helps explain why major event stakeholders tend to use more advanced tools, techniques, and practices to keep their venues and publics secure, spending accordingly. For instance, organizers of the 2002 Salt Lake City Winter Olympics, the first Games held after the September 11 terror attacks, invested over USD 300 million on security^iv, USD 50 million more than Sydney organizers spent to secure the much larger Summer Games two years earlier^v. Security spending on major events has only increased since then.

What do these trends mean for venue owners and operators of places of mass gathering (that aren’t major events)? Well, those stakeholders must address whether they are, in fact, making adequate investments in the protection of their venues and congregating publics. 

For the most part, they’re not, even though the stakes couldn’t be higher. A security lapse leading to a major incident at a place of mass gathering can torpedo an owner’s/operator’s/manager’s reputation, erode any sense of fellow feeling among residents, and send costs and liability through the roof. 

Don’t take the risk. Protect your place of mass gathering with effective safety and security management practices and structures. Not sure how? The guide walks venue owners and operators through the finer points of planning, including duty of care, interoperability, risk, and emergency action planning with the goal of controlling major risk factors and keeping publics and property safe.

Navigating duty of care obligations for event managers and owners and operators of places of mass gathering

Protecting places of mass gathering means controlling risk. Safety and security risk, however, can come from virtually any aspect of the operation, a daunting prospect for venue owners and operators. And that risk tends to increase – not shrink – as the size and complexity of the operation grows. 

What’s more, effective risk management for protecting places of mass gathering isn’t just a best practice, recommended to venue owners and operators. Many jurisdictions have stepped in, too, mandating effective management of safety and security risk as the legal price to play for operating venues – risk factors to consider include the following:

Potential risk factors for places of mass gathering

Risk issues category

• Environment
• Financial
• Human resources
• Infrastructure
• Interdependence
• Legacy
• Media
• Operations
• Organizing
• Participation
• Political
• Relationships
• Threats
• Visibility

Specific issues

• Impacts, e.g. pollution, destruction of the environment, etc.
• Sponsorship, ticketing and attendance, economic impacts/tourism, government support, ROI
• Paid staff, volunteers, training
• Existing infrastructure, new infrastructure, community resources
• Hierarchy of power, partnerships
• New facilities, public availability 
• Positive versus negative coverage
• Logistics (travel, transportation, food, accommodations), facility management, safety, health and well-being, crowd control, security, administrative tasks (accreditation, communications)
• Bureaucracy, legal, organizational change, leadership
• Public access, ticket availability
• Government changes, countries involved
• Meeting and balancing stakeholder needs and requirements
• Epidemics, personal, terrorism, weather
• Ambush, marketing, brand, image, reputation, support for the event

Source: University of Ottawa

Those mandates put venue owners and operators firmly on the hook for taking reasonable steps to ensure the protection and safety of congregating publics. This legal responsibility falls under the broad banner of duty of care.

What does the duty of care obligation entail in the context of a place of mass gathering? An important component:

Oftentimes, public safety and law enforcement agencies will provide venue owners and operators with the tools to self-assess the risk of terrorism to their operation. Duty of care obligations don’t end there, though. Besides performing self-assessments, venue owners and operators are encouraged to commit to activities that will keep places of mass gathering safe. These security activities tend to be of an ongoing nature, consisting of the following:

• Maintain an awareness of the operating environment
• Provide adequate security for their assets, based on threat and risk
• Actively apply risk management techniques to their planning processes
• Conduct regular reviews of risk assessments and security, emergency, and contingency plans
• Report any incidents or suspicious activity to relevant public safety officials
• Develop and regularly review business continuity plans, including identifying interdependencies
• Conduct training and exercise their security, emergency, and contingency plans
• Participate in government exercises to assist in harmonizing prevention, response and recovery arrangements with relevant controlling agencies.

Essential integrated safety and security technology features to protect people and places of mass gathering

For venue owners and operators, maintaining duty of care while protecting people and places of mass gathering will be beyond the capability of manual processes and techniques. Luckily, advanced integrated safety and security technology can help keep publics and property safe. Here are some key software features to consider:

• Drive your safety KPIs in the right direction with best-practice management of incidents, injuries, risks, and controls.
• Action tasks from incident ‘lessons learned’ and related risk reviews to achieve continual improvement of your organization’s processes and procedures.
• Report and manage all environmental, health and safety incidents and hazards in a single flexible platform.
• Track and manage all your safety information, key documents, tasks, checklists, and corrective actions in one place.
• Initiate and track investigations using best practice standard methodologies
• Manage safety assurance activities such as audits, inspections, non-conformances, and actions.
• Visualize locations of incidents, hazards, people, and assets using the fully integrated mapping features.
• Increase team collaboration and efficiency using the in-built communications for email, SMS, or app notifications, broadcasts, alerts, and reminders.
• Manage key details of staff, contractors, volunteers, and external parties, including competencies, compliances, and site inductions.
• Easily relate incidents, risks, and hazards to your own organization structure, buildings, sites, plant and equipment, materials, and other assets.
• Display key information where it is needed using flexible dashboards, analytics, and reporting that caters for all your stakeholders.
• Automate and lead people through your procedures, with fully-configurable workflows.

Of course, precise standards vary by jurisdiction. As such, venue owners and operators are well advised to consult the relevant local, state, and federal statutes. 

A typical baseline, though, is the expectation that people won’t be exposed to risks arising from the operation. Complying with that obligation will entail different steps for different operations. For instance, for major-event organizers, compliance means taking proactive steps to keep publics safe before, during, and after an event. Conversely, for venue owners and operators of places of mass gathering, compliance means taking proactive steps for the length of the operation. Here, potential steps to mitigate safety and security risk might look like the following:

• Performing proper due diligence when obtaining a location and venue, i.e. determining whether the (appropriately-permitted) venue meets public safety requirements
• Creating an emergency action plan (EAP) for the event (see more below)
• Informing attendees of potential threats at the event
• Conducting a thorough risk assessment, considering factors like the weather, wider environment, potential for fire, measures to keep children safe, etc.
• Developing critical emergency procedures for the event, i.e. evacuation strategies, as well as providing for medical assistance, security, and law enforcement

All of these interventions will require a systematic planning effort. (As an aside, ISO 31000: 2018 provides an internationally recognized standard for the practice of risk management, with specific directives to establish the strategic context for actual and potential threats.) Based on the nature of the operation, that effort will be parceled out to a diverse set of internal and external stakeholders, increasing operational risk^vi. 

For instance, the planning effort might entail more construction and operational phases, usually the case in major-event management^vii. The responsibility for executing these time-critical projects might fall to staff and volunteers, who are of varying levels of experience and capability. 

In most jurisdictions, though, worker health and safety (while on the job) must be carefully considered^viii. More specifically, venue owners/operators and event organizers must consider specific provisions for guaranteeing a safe operational environment for paid-, volunteer-, or third-party, contract-crew. 

What must stakeholders do on this safety compliance front? Most jurisdictions will obligate owners and operators to: 

• identify work-related hazards, prior to
• working with stakeholders (including crew) to eliminate or mitigate those threats. 

Interoperability in major event management

Mitigating the safety and security risk factors addressed above is simply beyond the capacity of any one venue stakeholder. Owners and operators as well as organizers will have to work closely with emergency response agencies (police, fire, ambulance, etc.) as well as with other public officials to ensure that venues remain secure and attendees stay safe and healthy. Effective inter-party cooperation alone can achieve the goals of preventing injury, suffering, or death from poor planning and preventable major incidents^ix. 

But inter-party cooperation doesn’t just happen automatically. Stakeholders should understand basic principles first. From the emergency management literature, the key elements of effective inter-party cooperation include collaboration, coordination, and communication: 

• Collaboration  means organizations exchange information and share resources; different stakeholders actually alter their activities, bolstering the capacities of other stakeholders for the good of the overall mission^x. Without collaboration, individual stakeholders risk duplicating the efforts of their partners, misallocating resources, or even delaying crucial operations, like evacuations. Also, information might not get disseminated to the people that need it, or information systems containing useful data might not get used. As a result, stakeholders will make decisions without having access to the best information. 
• Coordination goes a step beyond (just) sharing information. When stakeholders coordinate their efforts, they actually permit external stakeholders to weigh in on the end-to-end process, from the planning phase onward. Coordination helps foster truly collaborative, inter-party teams, deeply invested in pursuing all available resources to achieve success. 
• In responding to incidents at places of mass gathering, coordination goes hand in hand with communication. Stakeholders need to be kept apprised and informed of what’s going on throughout the incident. But the rapid exchange of information among stakeholders during an emergency is difficult, especially an emergency at a place of mass gathering. At that time, the number of organizations involved in the response might swell. 
  
  Sharing data efficiently in that scenario is challenging, but it’s critical none the same. More than procuring the right information management technology, stakeholders need to develop the right emergency response plans and procedures to address how they will work productively (and communicate efficiently) with other stakeholders. 

Understanding inter-party cooperation precepts is an important first step for venue owners and operators toward protecting their places of mass gathering. But the precepts only work if they’re deployed coherently in a previously-agreed-upon framework. That framework is interoperability, or the ability of multiple stakeholders to work well with each other.

In this era of emergency management solutions, the ability of multiple stakeholders to work seamlessly with other systems or products is an essential component of interoperability. More than ever, all stakeholders involved in the securing of places of mass gathering need to be able to talk to each other and share information in real time. Using interoperable technologies helps facilitate more efficient communication as well as lets stakeholders deploy the best resources more efficiently.

Of course, interoperability isn’t only beneficial during an emergency at a plave of mass gathering. Stakeholders who incorporate interoperability into their planning efforts can also better pool resources (and potentially save money).

Emergency action planning for places of mass gathering

Interoperable structures like NIMS (National Incident Management System) or AIIMS (Australasian Inter-Service Incident Management System) provide stakeholders the easy-to-use frameworks they need in order to achieve better outcomes. But NIMS and AIIMS are only a means to an end, not an end in and of themselves. Effective interparty cooperation during an emergency at a place of mass gathering still requires targeting and formalizing inputs, such as the emergency action plan (EAP).

For venue owners and operators, the typically-compulsory EAP is integral to protecting people and property at your place of mass gathering. That’s because the dual goals of emergency action planning are

• identify all potential emergency hazards and 
• mitigate the risk (to life and property) posed by those hazards. 

The plan itself should be highly site-specific, hashed out between the venue owners/operators, relevant public officials, and emergency management agencies. To ensure timely notification, warning, and evacuation in the event of an emergency, the EAP should include the following elements as a baseline:

• An organization chart laying out contacts to notify in the case of an emergency
• Clear instructions and procedures on how to notify those individuals 
• A list of responsibilities for emergency tasks assigned to specific roles, i.e. who is responsible for identifying, evaluating, classifying, then officially declaring an emergency under pre-determined conditions^xi

Of course, baseline emergency action planning won’t cut it during an emergency at a place of mass gathering. Instead, stakeholders should develop, review, and (routinely) test best-practice EAPs. Emergency agencies in most jurisdictions put out best-practice plan templates (also included in certain integrated safety and security management technologies). Here are the key takeaways from a review of those plans:

• Analyze the vulnerability of your venue to natural, manmade, and context-specific emergencies
• Comply with all public (local, state, and national) protocols for on-site emergency medical services
• Coordinate emergency action planning with all relevant jurisdictions, agencies, and individuals 
• Create detailed site plans, including locations of all commercial services, first aid, assembly areas, vehicle access for emergency vehicles, etc.
• Centralize activity in an emergency operations center and resource center
• Disseminate primary and secondary communications systems
• Include standalone EAP annexes for likely major risks, e.g. active shooter, bomb threat, civil disturbance, emergency weather, fire, hazardous materials, etc. 
• Conduct routine plan trainings; revise the plan where necessary^xi

Crowd management best practices for places of mass gathering

Large crowds stand out as clear injury risks to crew and attendees. And so, crowd management planning must also be a key component of emergency action planning. Some baseline crowd management guidelines include:

• Outline all potential dangers from mass gathering as part of a larger layout assessment of the venue
• Hire additional staff if necessary
• Contract trained security and crowd management personnel and/or police officers, or offer rigorous crowd management training to existing staff
• Ensure appropriate signage is visible and legible
• Appoint a worker to contact emergency responders if necessary

Finally, securing places of mass gathering isn’t impossible. Security experts suggest the main challenge lies in delivering the right balance of security and access, while ensuring the measures put in place actually address the security need once fully analyzed^xiii. 

How to get it right? Effective, integrated safety and security management planning helps mitigate risk and keep publics and property safe. Those planning protocols will also breed confidence in staff and let owners breathe a well-deserved sigh of relief as they operate their lucrative venues safely and seamlessly.

Citations

ⁱ     National Counter-Terrorism Committee, National Guidelines for the Protection of Places of Mass Gathering from Terrorism

ⁱⁱ     The scholarship classes unforeseen disasters (from manmade or technological sources) as major events as well.

ⁱⁱⁱ     Bureau of Justice Assistance and CNA: Managing Large-Scale Security Events: A Planning Primer for Local Law Enforcement Agencies. Available at https://www.bja.gov/publications/lsse-planning-primer.pdf

^iv     Becca Leopkey, University of Ottawa: Risk Management Issues in Large-Scale Sporting Events: A Stakeholder Perspective. Available at http://www.ioa. org.gr/wp-content/uploads/2016/09/2007_15th-seminar-on-olympic-studies-for-postgraduate-students-37931-600-21.pdf#page=349.
^v      It should be stated that since then, the price tag for securing the Olympics has shot up into the billions James McBride, Council on Foreign Relations: The Economics of Hosting the Olympic Games. Available at https://www.cfr.org/backgrounder/economics-hosting-olympic-games

^vi     WorkSafe Victoria: Advice for Managing Major Events Safely: 1st Edition. Available at https://www.alpineshire.vic.gov.au/files/7_Advice_for_ managing_major_events_safely.pdf

^vii     Ibid.

^viii     Ibid

^ix     Policy Executive Research Forum, Critical Issues in Policing Series: Managing Major Events: Best Practices from the Field. available at https://www.policeforum.org/assets/docs/Critical_Issues_Series/managing%20major%20events%20-%20best%20practices%20from%20the%20field%202011.pdf

^x     SR Friedman, J Reynolds, et al., Evaluation and Program Planning: Measuring changes in interagency collaboration: an examination of the Bridgeport Safe Start Initiative. Available at https://www.ncbi.nlm.nih.gov/pubmed/17689334.

^xi     Pennsylvania Emergency Management Agency: Special Event Emergency Action Plan Guide. Available at https://www.pema.pa.gov/planningandpreparedness/communityandstateplanning/Documents/Single%20Files/Special%20Event%20Emergency%20Action%20Plan%20Guide.pdf.

^xii     Ibid.

^xiii     Jacinta Carroll quoted in National Security College: Protecting Crowded Places from Terror. Available at https://nsc.crawford.anu.edu.au/news-events/ news/10253/protecting-crowded-places-terror.