Martyn's Law has become a pivotal moment for UK business resilience. For senior leaders—especially those in operational or IT roles—the legislation signals a fundamental shift: risk and preparedness are now matters of direct accountability, not just technical compliance. If your business owns or manages premises, the expectation has changed overnight. You're no longer measured by the strength of your controls or frequency of staff training alone. Board-level leadership must prove, in practical terms, that risk is understood, planned for, and owned.
Martyn’s Law, enacted through the Terrorism (Protection of Premises) Act, represents more than just a new regulatory standard. It sets out clear requirements for UK organisations to identify risks, benchmark their preparedness, and demonstrate resilience across different business tiers. Unlike many frameworks, Martyn’s Law brings focus to high-impact scenarios—such as a terror attack—and makes operational resilience a legal obligation rather than a best practice.
The law is named after Martyn Hett, one of the victims of the Manchester Arena bombing. Its intent is straightforward: ensure organisations take proactive steps to protect the public and mitigate the consequences of terrorism. For SMEs, this means new duties on leaders to assess risks, devise tested response plans, and embed accountability at the highest level.
Most SMEs already manage some form of security, emergency planning and compliance. Chances are, you've invested in Cyber Essentials or ISO 27001, and you’re familiar with data protection obligations. Yet, Martyn’s Law asks new questions:
For operational leaders, this is less about technical controls and more about mature governance. Senior management now needs clear evidence of scenario planning, effective escalation procedures, and regular readiness reviews. This shift is as much cultural as legal. In my experience working with SMEs, resilience often falters not in process, but in leadership clarity. Martyn’s Law brings that tension to the surface.
The Act introduces practical requirements based on the nature of your premises and the exposure to risk. Larger venues and higher-risk organisations face a duty to prepare for worst-case events, such as an active threat or mass incident. The law spells out key expectations:
From a security perspective, this typically means blending physical and cyber risk insight, scenario simulation, and board-level reporting. Compliance alone is insufficient. You need tangible assurance.
| Unclear Ownership | Many organisations have risk policies, but few can name a single senior owner. Without board-level clarity, resilience is compromised. |
| Outdated Plans | Emergency procedures may exist, but are rarely revisited or stress-tested. Static documentation is no substitute for live rehearsal. |
| Gaps in Training | Staff training is often annual and generic, missing the context of real premises risk. Martyn’s Law demands training linked directly to the site and scenario. |
| Integration with Existing Frameworks | Relying on Cyber Essentials or ISO 27001 can create a compliance comfort zone. These frameworks are useful, but Martyn’s Law expects preparedness that moves beyond paper assurance. |
One of the most common challenges I see is the disconnect between compliance documentation and real operational readiness. It is now essential for boards to see—and own—their entire risk picture, not just the technical controls.
For organisations already juggling cybersecurity, data protection, and regulatory requirements, Martyn’s Law should act as a catalyst for more proactive, visible risk management.
Martyn’s Law is not a one-off adjustment. It is part of a broader trend towards operational resilience, seen in recent regulation and shifting expectations from stakeholders, insurers, and customers. Senior leaders must anticipate further moves towards integrated risk governance, commercial transparency—and accountability for outcomes. SMEs that embed these habits now will be well positioned as new standards emerge.
Boards should expect more frequent scrutiny, higher expectations around scenario planning, and a clear mandate to demonstrate not just compliance, but true assurance. This is where resilience becomes a strategic asset.
Martyn’s Law is reshaping the way UK SMEs view risk, resilience and leadership accountability. For operational and IT leaders, the message is clear: compliance is not enough; visible, tested and owned preparedness is the new standard. Senior management must answer for risk exposure and response capability—not just tick boxes.
For those looking to navigate the demands of Martyn’s Law and the wider governance landscape, it is worth starting with a board-level conversation about ownership, real risk, and tested resilience. The legislative intent is to stop business as usual—and replace it with business that is ready, informed, and accountable.
Discover how organisations are improving accountability, risk visibility, and executive decision-making through a more mature Governance, Risk & Compliance approach.
30th June · Live · 45 min + Q&A
Register here