How to allocate risk, enforce standards, and preserve authority on paper
Contributed by Jim Brigham, LCG VP of Risk Management, Former Operations Chief, State of Vermont, Office of Safety & Security
Series context. This series turns lessons from the September 10, 2025, Utah shooting into a practical playbook for campuses, event organizers, and public officials. Parts 1–4 covered threat assessment, drone exposure, and venue operations. This installment closes the loop with the governance, contracts, and insurance moves that decide outcomes before doors open. [1]
Put risk management into the contract, not a binder on a shelf
When events are public, outdoors, and high profile, operational discipline is only as strong as the paperwork that gives people authority, budgets, and stop-show power. Event agreements, vendor scopes, and permits should hard-wire incident command roles, training, pre-event exercises, and escalation thresholds that align with national guidance for mass gatherings and incident management. That means planning checklists and role definitions tied to CISA’s mass gathering framework, FEMA’s National Incident Management System, and the ASHER program practices reflected in NFPA 3000. [2][3][4] (CISA)
LCG perspective. You cannot transfer accountability; you can only transfer portions of financial exposure. Write the plan into the contract, name the person with authority, and make payment milestones depend on delivering and exercising the plan.
A pre-event risk allocation playbook
Aligned with ISO 31000 risk principles and ISO guidance for hosting citywide events and for crisis management, use this checklist to turn intent into enforceable commitments. [5][7]
- Name the Event Safety Officer in writing, give them stop-show authority, and seat them as Incident Commander under NIMS/ICS. Require ICS-100/200 awareness for key staff. [3]
- Vendor credentialing and scopes. Require background checks where lawful, radio discipline, reunification duties, and participation in one tabletop and one communications drill before show day. Tie invoices to drill attendance. [2][7]
- Crowd management minimums. Reference Life Safety Code crowd-manager ratios and occupant-load calculations in contracts. Document egress routes, public address audibility checks, and signage placement. [4]
- Insurance that matches the threat model. Require additional insured, primary and non-contributory language, and waivers of subrogation. Specify assault and battery coverage, event cancellation coverage, cyber coverage for ticketing and PII, and terrorism coverage consistent with TRIA. [8]
- Data and comms governance. Define who owns attendee data, what gets retained, for how long, and who clears public statements. Pre-approve holding statements and rumor response workflows, and require a single spokesperson. [7]
- UAS and elevated-vantage controls. Even when you are not the mitigator, require detection logging, law-enforcement liaison, and Remote ID capture in the incident log, then hand off to authorized partners. Cross-reference your drone plan from Part 3. [2][3]
- Acceptance criteria. Make delivery of a signed safety plan, staffing matrix, floor plans with camera and overwatch positions, and proof of insurance the gating items for move-in access. [2][7]
Map your paperwork to recognized standards, then audit it
Treat the contract packet like a control set. Map each clause to a risk or control family so auditors, counsel, and insurers see a traceable plan.
- Risk assessment. Use NIST SP 800-30 to structure your hazard list, likelihood, impact, and response triggers for outdoor academic venues. [6]
- Controls crosswalk. Tag responsibilities to NIST SP 800-53 families, for example AT (training), CP (contingency planning), IR (incident response), PE (physical and environmental), and PM (program management). [6]
- Event standards. Cite ISO 22379 for hosting large citywide or regional events and ISO 22361 for crisis governance and communications. [7]
Common failure modes include paper plans without delegated authority, ambiguous indemnity that leaves organizers exposed, missing assault and battery sub-limits, certificates of insurance that do not include additional insured endorsements, and no practiced pathway to pause or end the show when signals deteriorate. Courts analyze foreseeability and burden, which is why documented planning and trained responses matter. [8] (Scocal)
Quick Checklist
- Name an Event Safety Officer with stop-show authority, in writing.
- Bake NIMS/ICS, crowd-management ratios, and crisis communications into scopes and milestones.
- Verify insurance endorsements and TRIA applicability before tickets go on sale. [8]
Final thought
Risk management for public events is a governance exercise first, and a security exercise second. If authority, training, insurance, and escalation are written, funded, and rehearsed, the team can act quickly under pressure and defend those actions later. That balance, clear responsibilities and measured controls for foreseeable hazards, is what protects people, reputations, and institutions. [9]
References (endnotes)
[1] “After Utah: A Risk Management Playbook to Prevent Targeted Violence at Public Events,” Parts 1–4, LCG Discovery & Governance series outline.
[2] Cybersecurity and Infrastructure Security Agency, Mass Gathering Security Planning Tool, User Guide and checklist, May 24, 2024. (CISA)
[3] FEMA, National Incident Management System, Third Edition, October 2017. (Preparedness Toolkit)
[4] National Fire Protection Association, NFPA 3000, Standard for an Active Shooter or Hostile Event Response Program, fact sheet and related guidance. (NFPA Catalog)
[5] ISO 31000:2018, Risk management, Guidelines. (ISO)
[6] NIST Special Publication 800-30 Rev. 1, Guide for Conducting Risk Assessments, and NIST SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations. (NIST Publications)
[7] ISO 22379:2022, Security and resilience, Guidelines for hosting and organizing citywide or regional events, and ISO 22361:2022, Security and resilience, Crisis management, Guidelines. (ISO)
[8] Weirum v. RKO General, Inc., 15 Cal. 3d 40, California Supreme Court, 1975, addressing foreseeability and duty in event-related promotions; see also balancing duty approaches in Posecai v. Wal-Mart Stores, Inc., 699 So. 2d 1081, Louisiana Supreme Court, 1999. [9] LCG internal research notes supporting this series and governance templates.
This article is for general information and does not constitute legal advice.
Appendix: Recent Events Underscoring Contractual and Governance Gaps (Sept–Oct 2025)
The following incidents illustrate why risk, insurance, and authority need to be embedded in agreements before the event—especially when gatherings blur the line between public, private, and informal space. These summaries are for contextual reference only.
A1. St. Helena Island, SC — Willie’s Bar Shooting (Oct 12, 2025) (AP News)
Four people were killed and at least twenty injured when gunfire erupted during an unsanctioned alumni event at Willie’s Bar & Grill. The gathering drew crowds connected to a local high school’s homecoming but was not formally contracted or permitted as an event.
Governance relevance. With no formal contract, safety roles, or defined authority, there was no clear incident-command structure, escalation pathway, or insurance allocation. A simple venue-use agreement requiring an Event Safety Officer, liability insurance, and coordination with law enforcement could have created a governance spine and reduced ambiguity of duty. [(A1) AP News, Oct 12, 2025]
A2. Leland, MS — Homecoming Weekend Shootings (Oct 11, 2025) (The Guardian)
A series of shootings during high-school homecoming activities killed six and injured more than ten. Events were spread across multiple venues and informal block parties.
Governance relevance. Homecoming weekends operate as distributed citywide events but often lack unified contracts, credentialing, or insurance language. A pre-event memorandum and vendor contracts tied to NIMS/ICS roles and TRIA-compliant insurance could establish clear safety obligations and command hierarchy. [(A2) The Guardian, Oct 11, 2025]
A3. Los Angeles, CA — Vehicle Ramming Outside Venue (Oct 2025) (AP News)
A vehicle drove into a crowd waiting outside a downtown Los Angeles venue, injuring approximately thirty people before bystanders subdued the driver.
Governance relevance. Ingress and egress areas are extensions of the event footprint. Contracts should define responsibility for vehicle-barrier placement, crowd-control infrastructure, and coordination with local traffic management. Insurance must not exclude vehicular incidents under the assault-and-battery or general-liability clauses. [(A3) AP News, Oct 2025]
A4. Henderson, KY — Gunfire Near Fall Festival (Oct 2025) (Yahoo News)
A shooting occurred blocks from the West Side Nut Club Fall Festival, prompting panic and temporary disruptions.
Governance relevance. Even incidents outside the direct event boundary can create cascading impacts on crowd safety, communications, and operations. Event contracts should stipulate adjacent-incident protocols, shared situational-awareness channels with law enforcement, and criteria for event pause or evacuation authority. [(A4) Yahoo News, Oct 2025]
Summary Observation
Across these incidents, the failure mode was not only physical security—it was contractual and governance ambiguity. Written roles, credentialing, and insurance requirements could have aligned participants, preserved authority, and protected both attendees and organizers. These lessons reinforce the principle that public-event safety begins on paper, not at the gate.
References (Appendix A)
(A1) Associated Press, “Shooting at packed South Carolina bar kills 4 and injures at least 20 others,” Oct 12, 2025. apnews.com
(A2) The Guardian, “Six killed in Mississippi homecoming weekend shootings,” Oct 11, 2025. theguardian.com
(A3) Associated Press, “Car strikes crowd outside Los Angeles venue, injuring 30,” Oct 2025. apnews.com
(A4) Yahoo News, “Second suspect charged in deadly Alabama shooting near festival,” Oct 2025. yahoo.com
