Regulation or risk management?

The UAE has used different approaches in the way developments are designed to enforce security.

The UK has historically relied on legislation such as the Crime and Disorder Act 1998 to embed crime prevention and counter-terrorism measures in the built environment, and the only guidance specific to planning is the National Planning Policy Framework’s call for the creation of safe and accessible environments. In the UAE, however, there has been a different approach. Abu Dhabi, the second most populous city of the Emirates, developed a safety and security planning manual (SSPM) in 2013, and established a security review team in the planning review process.

All developers were expected to comply with the principles of the SSPM, and certain categories of building – most notably, crowded places such as hotels, sports arenas and retail malls – were required to demonstrate appropriate security through planning, design and construction.

While there was initial resistance to the regulation, the SSPM was a success. New developments such as Al Maryah Central Mall, Warner Brothers Theme Park and the Founder’s Memorial (see photo, right) found different and innovative solutions to satisfy the security requirements, including hostile vehicle mitigation and anti-incursion measures to delay terrorist attack or armed robbery.

Secure new developments such as the Founder’s Memorial
have embedded hostile vehicle mitigation measures


Perhaps the strength of the SSPM approach was that, although it had teeth through the planning process, it was also performance-based, offering developers the flexibility to ensure security in a way that best served their project. This intelligent approach is more challenging to quantify than a specification-based process would be, but ultimately achieves better results. The SSPM was justifiably acclaimed, winning both the International Achievement Award and the Counter-Terrorism Solution of the Year Award at the UK Security Excellence Awards in 2014.

But as with any regulation, it is only successful if enforced over time. The Abu Dhabi Department of Urban Planning and Municipalities found itself unwilling to regulate security, which culturally would rest with national security agencies.

So when it was announced that the SSPM would remain as guidance but no longer be subject to planning review, I was saddened that all the hard work and progress could be so easily undone. After a period of reflection, however, I wondered whether we should regulate or leave security to risk management – after all, isn’t that what security professionals are supposed
to do?

When work on the design for the Louvre Abu Dhabi began in 2007 no regulation existed, yet it was made clear as part of the client brief that security was to be a key factor. Once the SSPM was introduced and the security team at the planning authority reviewed the design, it was evident that security had been given due consideration. The design team was applauded on a job well done and no further intervention or enhancement was required.

This was not achieved through regulation but through sensible risk management. Given the value of the art on display, the iconic nature of the museum and the potential reputational damage to the national tourism sector if security were breached, tolerance of risks was low and security therefore had a significant influence on planning and design. Careful security
planning and design is also evident at luxury hotel the Emirates Palace, which was also built before the implementation of the SSPM.

But outside these two projects, it is hard to find an existing development in Abu Dhabi where such consideration has been given to security requirements, even though the city is flush with luxury hotels, stadia, shopping malls and other destinations that may be targets for terrorist attack.

So for a regional comparison, I took a road trip to Dubai, the UAE’s most populous city, often viewed as being quicker to bring developments to fruition.

Ugly retrofits, such as the hostile vehicle mitigation measures
at the Abu Dhabi Corniche, can affect the visitor experience


A tale of two cities

For some time, Dubai has regulated security but has focused primarily on technical security systems and employing guards. And yet, surprisingly, the benchmarking study I conducted found far more buildings in the city had high levels of embedded security. For instance, the Burj Al Arab, a luxury hotel, was planned as an island site, with controlled access to the bridge that links it to the rest of the city incorporating counter-terrorism measures and robust security procedures.

The Burj Khalifa provides a similar benchmark: road access to the Armani Hotel, which is part of this tower, passes through an architecturally designed vehicle control point equipped with counter-terrorism-rated access control measures, supported by an inner line of hostile vehicle mitigation features.

A short drive around the city highlighted similar examples such as Media City and the Dubai Opera. At none of these had good security design been demanded by regulation, so it can only be assumed that, like the rare examples in Abu Dhabi, there was a specific client brief for higher levels of security.

But is this because the decision-makers had received more accurate risk management information? Were the clients more forward-thinking, futureproofing the
design against increasing threat levels? Or is it the simple fact that risk management decisions were fully considered early in the design programme – whereas project managers on many other developments focus on time and cost rather than the finer, longer-term elements of the brief such as security?

But the reality is that security incidents do happen, threat does change, and buildings are so much harder to change once they are completed. Retrofitting security measures always affects business operations; this approach will not be as functional or as effective as a strategy considered thoroughly from the outset, and it will cost more.

Even knowing this, though, why do so many developments still remain inappropriately protected? Is it the lack of regulation or is it poor risk management by developers and clients? Is it the absence of a clear allocation of accountability and responsibility? Should it be a development-scale decision, or should it be considered at a national level and factored into regulation? It is clear that those developments that have been well planned and designed with security in mind provide an excellent guest experience in a safe and secure environment, now and into the future.

Conversely, those where security was not considered may provide a good visitor experience, but this will take place in a vulnerable environment. In certain jurisdictions, they may even be liable to future prosecution where a court decides that protection is not commensurate with the threat.

Equally, if measures are retrofitted – such as those recently implemented at the Abu Dhabi Corniche (see photo, above left) – the aesthetics, functionality and visitor experience can be significantly compromised. This is a clear lesson that security should not be an afterthought. So enforced regulation can undoubtedly provide excellent results, as demonstrated by the new developments in Abu Dhabi under the SSPM. These developments are inherently safer, futureproofed against changes in threat, while security measures proved far less expensive than originally envisaged by the developer.

Dubai also boasts some excellent examples of safe and secure environments, presumably achieved through sensible risk management and client direction rather than regulation.

Worryingly, however, while ambiguity prevails, the UAE contains a wide range of crowded places that remain vulnerable despite the obvious threat levels – and the same is true for many cities around the world.

Authored by Stuart Williams and published in the February/March 2020 International Edition of the RICS Built Environment Journal, this article considers the different routes adopted within the UAE to achieve security objectives – through risk management and regulation.