A Guide to Security Duty Holders

A guide to security duty holders covering roles, legal duties, competence and practical steps to strengthen preparedness and reduce risk.

A security failure rarely begins at the point of attack. It usually starts much earlier – with unclear ownership, weak decisions, poor assurance, or a gap between policy and reality. That is why any serious guide to security duty holders has to focus on more than titles and job descriptions. It has to explain who holds responsibility, what that responsibility means in practice, and how organisations turn legal duty into operational capability.

For organisations facing elevated threat exposure, duty holder arrangements are not an administrative exercise. They shape whether risk is properly understood, whether protective measures are proportionate, and whether teams can perform under pressure when conditions deteriorate. Modern threats expose old security thinking. If responsibility sits vaguely across committees, outsourced providers and overstretched managers, weak points appear quickly.

What security duty holders actually are

Security duty holders are the people or entities with defined responsibility for aspects of protective security, safety, preparedness and response. The exact legal and operational meaning depends on the environment. In some settings, the duty sits with the employer, operator, landlord, event organiser or accountable manager. In others, responsibilities are split across several parties, each holding a different part of the problem.

That split is where organisations often come unstuck. A duty holder is not simply the person named on a policy. It is the person with enough authority, competence and access to resources to influence outcomes. If someone carries liability on paper but cannot direct action, challenge poor standards or secure investment, the arrangement is weak from the start.

For venues, public-facing businesses, critical sites and high-footfall environments, duty holders often sit at the junction of legal compliance, operational delivery and commercial decision-making. They are expected to balance customer experience, staffing pressure, budget discipline and credible protective security. That balance is real. But it does not remove the duty.

A practical guide to security duty holders in real organisations

The most useful way to read a guide to security duty holders is through the lens of decision-making. Who decides the risk appetite? Who commissions assessments? Who approves physical and procedural controls? Who checks that training is effective? Who owns the response when an incident moves beyond routine disruption into a hostile act?

If those answers are inconsistent, responsibility is probably fragmented.

In practice, most organisations need clarity across three levels. First, there is strategic accountability. This usually sits with senior leadership, directors, trustees or those with overarching control of the undertaking. They set expectations, allocate resources and decide whether security is treated as a live capability or a compliance burden.

Second, there is operational ownership. This often rests with heads of security, operations directors, venue managers or programme leads. They translate strategic intent into plans, procedures, exercises, procurement decisions and day-to-day control measures.

Third, there is frontline execution. Supervisors, team leaders and specialist staff apply the measures in the real environment. They spot anomalies, escalate concerns, manage access, react to incidents and influence how calmly or badly an event unfolds.

The point is simple. Duty does not sit only at the top. But unless the top sets the conditions, the rest of the system degrades.

The legal angle matters, but capability matters more

Many readers will be looking at this through the lens of Martyn’s Law and broader UK protective security expectations. That is sensible. New legal duties increase scrutiny and make vague arrangements harder to defend. But legal compliance on its own is not enough.

An organisation can have a written plan, a named responsible person and a training record, yet still fail badly in practice. That usually happens for one of three reasons. The threat picture was poorly understood, the controls were not realistic for the operating environment, or staff had not built the judgement required to act under pressure.

Good duty holders therefore do more than sign documents. They test assumptions. They ask whether entry screening works at peak flow, whether communications survive confusion, whether escalation thresholds are understood, and whether contractors are being properly assured rather than simply trusted.

This is where experienced protective security support adds value. It turns theory into action. It closes the gap between formal responsibility and actual readiness.

Common failures in duty holder arrangements

The same patterns appear repeatedly across sectors. One is false delegation. A board assumes security is covered because a contractor is in place or a site lead has been given a folder of procedures. Outsourcing activity does not outsource accountability.

Another is role confusion between safety, facilities, operations and security functions. These disciplines overlap, but they are not interchangeable. A capable facilities manager may understand maintenance risk and building compliance, yet still need specialist support on hostile reconnaissance, attack methodology or behavioural indicators.

A third failure is over-reliance on static documents. Threat and vulnerability assessments age quickly if they are not reviewed against operational change. Refurbishments alter circulation. Seasonal demand affects crowd density. Staff churn weakens competence. A major event, protest climate or geopolitical shift can change the threat profile overnight.

The final weakness is lack of assurance. Organisations put measures in place and assume they work. They do not evaluate staff understanding, test decisions, or measure whether the response model is viable. Under pressure, assumptions are punished.

What competent security duty holders do differently

Competent duty holders are visible in the system. They do not sit above it. They understand their environment, know where their critical vulnerabilities are, and can explain why specific measures exist. They can also justify where not to spend money.

That last point matters. Security is full of expensive distractions. The right answer is not always more technology, more procedures or more friction at the front door. Sometimes the priority is sharper governance, better exercised command arrangements, clearer reporting lines or stronger behavioural awareness among supervisors.

Effective duty holders also insist on proportion. A retail estate, hotel group, event venue and energy site do not require identical controls. The threat may be similar in broad terms, but exposure, consequences and operating realities differ. Good judgement sits at the heart of good security.

They also understand competence as a live requirement. Briefings alone do not create readiness. Teams need role-specific learning, realistic exercising and feedback that shows where performance holds up and where it breaks. This is especially important for organisations preparing for terrorism-related incidents, where the speed and ambiguity of an attack can overwhelm teams that have only ever rehearsed routine disruption.

How to strengthen your duty holder model

Start by mapping responsibility properly. Identify who carries strategic accountability, who owns operational delivery and who controls frontline execution. Then test whether each person actually has the authority, knowledge and support to perform that role.

Next, examine your current risk picture. If your assessment is generic, out of date or disconnected from the way the site really operates, rebuild it. Threat, vulnerability and consequence must be considered together. A credible assessment should drive action, not sit untouched after approval.

After that, review competence. This is where many organisations discover the difference between attendance and capability. A completed course record tells you very little on its own. You need to know whether decision-makers understand their duties, whether supervisors can recognise suspicious behaviour, and whether teams can implement procedures under realistic pressure.

Assurance should follow. Tabletop exercises, structured reviews, capability diagnostics and external challenge all help expose blind spots before an incident does. Mildot Group works in this space because organisations need more than policy drafting – they need to know whether their people, plans and assumptions will stand up in the real world.

Finally, treat duty holder arrangements as part of operational resilience, not a side issue for audit season. Security performance is shaped by procurement, staffing, site design, leadership culture and reporting discipline. If those factors are weak, the duty holder framework will carry strain it cannot absorb.

It depends on the environment – and that matters

There is no universal template for security duty holders. A single-site venue with direct leadership control may need a simpler structure than a national operator with mixed ownership, multiple suppliers and variable local management capability. Likewise, an event environment with temporary infrastructure presents different challenges from a permanent commercial estate.

The right model depends on complexity, threat exposure and operational tempo. What should not vary is the standard of clarity. Everyone involved must know who is accountable, what good looks like, how concerns are escalated and how performance is checked.

If that sounds basic, it is. But basic disciplines are often the first to erode when organisations move quickly, decentralise decision-making or prioritise convenience over control.

Security duty holders carry more than a legal label. They carry the responsibility to make protective security real, credible and workable for the people who depend on it. When that responsibility is properly defined, resourced and tested, organisations are in a far stronger position to prevent failure rather than merely explain it afterwards.

Useful Links:

.

Mildot Group®

Our Mission

Deliver real world security and counter terrorism consultancy built for 21st century threats.

Convert complexity into clarity so organisations act faster, smarter, and with confidence.

Provide high-quality security capability that’s within reach for everyone.

Who We Are

Mildot Group (established 2014) is a close network of experienced security professionals, selected for competence, integrity, and delivery under pressure.

With British military foundations and global private sector expertise, we help organisations strengthen security capability, from frontline operations through to senior decision-making.

What We Do

We deliver security risk management consultancy and learning that turns theory into action. From threat, vulnerability and risk assessments through to security strategies, technical systems and behavioural risk solutions, we build tailored protective security and counter-terrorism capability that works under pressure.

Our eLearning is independently reviewed and CPD Standards Office accredited.

 

International Security Experience You Can Trust

The company owner, supported by a hand‑picked network of professionals, brings unrivalled experience from ground level to senior leadership. Their private sector careers span government contracts, security and counter‑terrorism operations, specialist firearms training, and high‑level defence procurement and security advisory roles.

They have trained thousands of security personnel, managed and built large‑scale teams for Oil & Gas operations, and enhanced VIP protection programmes for government clients and delivered long‑term defence capability programmes. Extensive experience at senior levels within the private sector to design, implement and manage security risk management systems that mitigate terrorism, insurgency, and hybrid threats.

Trusted at the Highest Levels

Our services have been rigorously vetted by UK Government agencies. As former Registered Firearms Dealers with Section 5 authorities, our capability, capacity, and proven expertise have been verified to high standards, ensuring absolute confidence in our delivery.

ICO registered number ZA289831 

Privacy Policy

Terms & Conditions Policy

Terms of Use Policy

Privacy Preference Center

Privacy Preferences

Mildot Group hold data sent by users for recruitment purposes only and is not passed onto any third parties. If opportunities become available the data is used to send relevant information to potential personnel. Removal of this data can be made at anytime by requesting removal to info@mildot.co.uk

Social Media

Analytical information to help improve marketing and customer experience.