6.1. Systematic management of policies
Policies are a form of statements of intent and are often used to guide decision making throughout all levels of operation within in both public and private organizations. Policies are not static documents, but evolve with the organization and must thus be managed. The purpose of Systematic management of policies is to support structured development and management of policies for dealing with emergencies and disruptions characterized by occurrence of emerging risks and threats. The aim is to achieve adaptive and holistic policy management involving policy makers and operational personnel, both within public and private organizations. Note, that when this capability card is used by operational personnel, it rather refers to systematic management of plans, procedures or checklists.
- 1 Implementation
- 2 Understanding the context
- 2.1 Detailed objectives
- 2.2 Targeted actors
- 2.3 Expected benefits
- 2.4 Relation to adaptive capacity
- 2.5 Relation to risk management
- 2.6 Illustration
- 2.7 Implementation considerations
- 3 Relevant material
- 4 Navigate in the DRMG
To achieve a systematic management of policies, several activities and perspectives need to be considered regarding: the policy management process, the policy assessment, and the policy training and implementation support. The policy management process needs to consider how to involve several stakeholders (e.g. operational personnel) to ensure a viable applicability of the policies. The assessment of policy needs to consider how the policies actually work in an operational context and in the context of other policies. Policy training and implementation support needs to consider how policies can be implemented in the organization, in an appropriate and supportive manner for the operational personnel, to manage the change of work practices.
Before a crisis
Proactive systematic policy management can be achieved by organizing working groups, policy-specific or general discussion workshops, regular policy review meetings, policy-testing exercises, and other policy revision activities, within and between different roles and organizations. The analysis of the policy management process and specific policies can be done with for example a structured walkthrough of the policy, or having a more loosely organized brainstorming session.
Letting stakeholders meet and discuss the policies that they are jointly using and how policies are managed is key to holistic assessment of policies. Both formal and more loosely-structured assessments can benefit from imagining future use of a policy by going through hypothetical scenarios, or by recalling situations from actual operations or exercises. Understanding the working methods and point of view of other organizations are important in Supporting coordination and synchronisation of distributed operations. This can be increased by cross-organizational assessments and reviews of policies. Between similar organizations a peer review process for policies can also help to homogenize and increase the quality of policies.
In the planning of policy revision activities should also consider aspects regarding training and implementation of policies in the operational setting.
Below are suggested themes to be included in these activities, through the use of the corresponding triggering questions.
- Reflect on the policy management process
- How are emergent risks and threats identified and described?
- How are identified risks and threat used in the policy management process?
- How well is the cross-domain, cross-organizational or cross-border perspective included?
- Involve operational personnel in the policy management process
- Are operational personnel included and invited to participate and provide expertise and experience in the processes involved in policy making?
- Are bottom-up organizational processes provided to encourage dialogue between policy-makers and operational personnel?
- How do these processes support establishment of common ground, understanding and trust between policy-makers and operational personnel?
- Design policies for flexible use
- Can policies be designed so that their parts (items, sections, etc.) can be used flexibly and as inputs to decision making in specific situations, rather than sequentially procedures to strictly follow?
- Identify and evaluate existing policies
- How many and which policies are operational personnel expected to work by?
- Have conflicts between these policies been analysed (between different roles and organizations)?
- Have conflicts between policies of operational personnel of different organizations following different policies been analysed?
- Are there situations where operational personnel would need support but policies do not apply?
- Is operational personnel supported sufficiently by the existing policies?
- Identify weaknesses in application of existing policies
- Are policies easy to understand in various situations?
- Are policies too constraining to deal with actual situations or too general to give concrete guidance?
- Have operational personnel developed alternative ways of working, compensating strategies, or work-arounds during their actual use of policy? Why?
- Has this actual use of policy in terms of difficulties of application, alternative ways of working, compensating strategies, or work-arounds been analysed with the purpose to understand them (instead of counting and condemning “violations”)?
- Have gaps between policies and reality been analysed and identified?
- Assess policies as part of the whole context, rather than individual policies
- Has a joint validation of purpose and underlying intent of policies been performed?
- Have sets of policies been evaluated together in order to assess their joint applicability, complexity, overlaps, bureaucratization, and conflicts?
- Have different roles’ and organizations’ perspectives and views on the same policies been included in assessments?
- Have the amount of policies and expectations on policy-driven actions versus actions that cannot or should not be covered by policies been addressed and put into context?
- Has the need for support for interpretation of policies, pre-authorizing exceptions, and handling exceptions been identified and addressed?
- Can policies that have low fitness-for-purpose be redesigned or removed?
Policy Training and Implementation Support
- Impose strategies or mechanisms for communication, training, and support
- Is a communication strategy in place on how information on new, modified, redesigned, or discontinued policies will be communicated to relevant actors (both policy-makers and operational personnel)?
- Is a training strategy developed on when and how operational personnel will be trained on policies?
- Are supporting mechanisms put in place to provide support to operational personnel when applying policies during response operations?
- Consider implementation aspects of new or revised policies in the planning of policy revision activities
- Are preparations and processes established for how to provide guidance to operational personnel on when to apply policies and when policies are known not to be applicable in some situations?
- Are preparations and processes established for making policy-makers available during response operations?
- Are preparations and processes established for resolving policy conflicts during response operations?
- Are processes in place for tracing policy changes over time and following-up the effect of these changes?
During a crisis
During crises, consider which roles could need support in applying policies or resolving situations where policy use is problematic. Allocate specific roles in your organization that have the responsibility for addressing these policy issues during crises. Below are suggested themes and triggering questions to be included in these activities.
- How is the information regarding application of policies documented to facilitate organizational learning?
- Do operational personnel know how to act or who to contact when conflicts between policies occur, a policy is not fit for purpose, or when policies are missing?
- Is guidance provided to operational personnel on when to apply policies and when policies are known not to be applicable?
Policy Training and Implementation Support
- Is guidance provided to resolve policy conflicts during response operations?
- Are policy-makers available during response operations?
After a crisis
Actual crises often provide ample opportunity to learn how and why policies did or did not have the desired effects in actually supporting the crisis management operation. During after-action reviews, debriefing sessions, and analysis work for lessons learned, allocate explicit attention to the use of policies and potential opportunities for improvement. These can be complemented with specific follow-up interviews, workshops, and analyses of communication logs or operational documentation and other recorded data when it is necessary to inform the lessons learned process regarding the use of policies. Consider the perspectives of multiple organizations and roles, as opinions and experiences on the same policy can differ widely. Include the following themes and triggering questions in these activities.
- Has feedback been collected on applied policies from different organizations, domains, and levels in order to have a holistic perspective?
- Has the use of the sets of policies in the context of work and the situation been analysed, and has the fitness of policies for the event been assessed?
- Did operational personnel employ alternative ways of working, compensating strategies, or work-arounds during their actual use of policy? Why?
- Has this actual use of policy been analysed with the purpose to understand them (instead of counting and condemning “violations”)?
- Could the changes in operational environment leading up to and during the event have led to outdating of policies?
- What lessons can be learned from the actual use of policies?
- What lessons can be learned about the flexibility of use of policies?
- Could additional policies (as part of suggesting lessons to be learned) risk negative effects, by increased documentation and bureaucratization of work, increased workload, diminished creativity and innovation, or decreased ability to meet unexpected events?
- How are lessons learned fed back into the policy design process?
- How are lessons learned fed back into redesign of more flexible policies?
- Are recommendations for policy redesign followed-up in a systematic way?
Policy Training and Implementation Support
- Have the operational personnel applied current policies in an advisable manner that could be included in training or policy revision?
- Have the operational personnel had sufficient training and support to be able to apply current policies?
- Have policy conflicts or other policy related problems been identified and how were they resolved?
Understanding the context
Response operations to emergencies and disruptions build upon different types of policies, including for example plans, procedures, or checklists. There is a wide span of challenges related to policy management for response operations where emerging risks and threats may occur. These kind of response operations are characterized by multiple policies necessary and being applied. Such policies may be developed and modified separately by various actors in independent processes at different levels. A risk during such development is that feedback or involvement from operational personnel are overseen or that the development is guided by incorrect priorities.
Policies may be modified too often or with insufficient frequency. Policies may also be too specific, too constraining or too general with respect to the operational environment and its emerging risk and threats. In turn there is a risk for both too many and too few policies. There is also a risk for incoherent or conflicting policies or policies (within or between organizational units) that are difficult for operational personnel to apply. Moreover, operational personnel may not have enough time to notice changes in policies or understand the modified content of the policies.
This may result in policies that to varying extent are not fit-for-purpose, meaning the goals that a policy aims to achieve are not actually supported by the policy. Operational personnel may need to improvise and in the long term develop alternative ways of working (compensating strategies) to get their tasks done, despite policies that aim to support their work. How to create and maintain a legitimate space of manoeuvre relative to policies in situations where they are not fit-for-purpose are covered in Adaptation relative to procedures. A suitable implementation of flexible use of policies can be a source of Resilience (see Identifying sources of resilience) and similar an overly rigid use of policies can be a source of brittleness (see Noticing brittleness.
The purpose of this capability card is to encourage systematic work with management of policies and using relevant means to facilitate dialogue among operational personnel and policy-makers, as well as among policy-maker groups. Systematic work refers to work that is performed methodologically according to decided procedures, for example in a step-by-step manner that, in principle independently of context, always include the same procedures at each step.
In order to achieve adaptive and holistic policy management for emerging risks and threats such dialogue needs to take place across domains, organizations, and geographical borders. Such dialogues are thus dependent on Establishing networks, Establishing common ground and Understanding roles and responsibilities.
This policy management includes simplifying, modifying, or redesigning policies to learn from ways of working and compensating strategies that operational personnel use to handle emerging risks and threats and get the job done. Since novel or complex crises can challenge policies such compensating strategies need to be expected and seen as feedback to the policy management (see Adaptation relative to procedures). The overall goal of such policy management is a set of policies with high fitness-for-purpose. A set of high fitness policies refers to an appropriate number of (preferable joint) policies with an appropriate level of detail that are adapted on need-basis with an appropriate frequency. On need-basis corresponds to a combined approach of a bottom-up (operational needs, experience and observed unanticipated emergent risks and threats, etc.) and a top-down (anticipated emergent risks and threats, regulatory and management needs, etc.) perspective.
The actors that are concerned by this capability card are public and private entities with tasks and roles related to dealing with emergencies and disruptions. This capability card relates to the following stakeholders: operational personnel and policy-makers. Operational personnel are those who select, use, apply or follow regulations, procedures and policies during dynamic situations (emergencies and disruptions). Examples of operational personnel are emergency managers, medical coordinators, on-duty engineers, and traffic controllers. Policy-makers are those who design, review, validate and sign off regulations, procedures, and policies (here in sum called “policy”). Examples of policy-makers are subject-matter experts, policy officers, and preparedness managers.
The scope of this capability card is response operations to all types of emergencies and disruptions.
The applicability of this capability card is to all administrative and management levels, all types of actors and to cross-border, cross-organizational, and cross-domain settings.
Relevant and applicable policies for dealing with emergencies and disturbances characterized by occurrence of emerging risks and threats.
Systematic management of policies contributes to a higher degree of predictability of which actors may be involved and when, as well as what they may do and how. In turn it also contributes indirectly to an increased mutual understanding and calibrated mutual expectations among the actors.
Relation to adaptive capacity
Policy management is more adaptive and holistic with the application of this capability card. The need for development of new, modification of existing or discontinuing of irrelevant policies is identified systematically, based (if applicable) on cross-domain, cross-organizational, or cross-border perspectives.
Relation to risk management
Traditionally risk management generates new policies when new risks are discovered, which may result in fragmentation of the policy management process. Systematic management of policies involving policy-makers and operational personnel enables a holistic perspective on the overall impact and support of policies on operational work.
An associated challenge or pre-condition for achieving the objectives and ambitions of this capability card is the presence of an attitude, “culture” or “tradition” for working and interacting across organizational management and administrative levels, in cross-domain, cross-organizational, or cross-border settings.
An additional challenge may be legal constraints limiting the development of joint policies.
Relevant Practices, Methods and Tools
Exercises to assess and validate. Exercises are important for testing and gather suggestions for improving policies. These exercises can be either of lower fidelity, such as tabletop exercise (TTX), or with higher fidelity, such as command post exercises (CPX). Exercises can be a useful method to assess and validate policies.
Gathering feedback. Observational methods, combined with focus groups and other workshop and discussion methods can be used to discover strategies and work-arounds that may indicate problems with policies that need to be managed.
Peer review. By implementing a process where similar organizations peer review each others' policies the organizations can better learn from each other.
The use of frameworks. A descriptive “strategies framework” (e.g. Rankin et al., 2014a) may be used to uncover the strategies used by operational personnel in a more systematic way, when and how they are applied, and how they relate to policies and policy-makers’ objectives. The categories in the framework target three main areas: (a) a contextual analysis, (b) enablers for successful implementation of the strategy, and (c) reverberations of the strategy on the overall system. A learning loop (Rankin et al., 2014b) may be used to learn from adaptive performance.
Existing artifacts and processes
- Alter, S. (2014). Theory of workarounds. Communications of the Association for Information Systems, 34(1), 1041–1066.
- Amaratunga, C. A. (2014). Building community disaster resilience through a virtual community of practice (VCOP). International Journal of Disaster Resilience in the Built Environment, 5(1), 66-78.
- Besnard, D., & Arief, B. (2004). Computer Security impaired by ligitimate users. Computers & Security, 23(3), 253–64. http://doi.org/10.1016/j.cose.2003.09.002.
- Carim, G. C., Saurin, T. A., Havinga, J., Rae, A., Dekker, S. W. A., & Henriqson, É. (2016). Using a procedure doesn’t mean following it: A cognitive systems approach to how a cockpit manages emergencies. Safety Science, 89, 147–157. http://doi.org/10.1016/j.ssci.2016.06.008.
- Comfort, L. K. (2007). Crisis management in hindsight: Cognition, communication, coordination, and control. Public Administration Review, 67(SUPPL. 1), 189-197.
- Dekker, S. W. A. (2000). The bureaucratization of safety. Safety Science, 70, 348–357. http://doi.org/10.1177/0020852300662008.
- Dekker, S. W. A. (2001). Follow the procedure or survive. Human Factors and Aerospace Safety. 1(4), 381-385.
- Dekker, S. W. A. (2004). Ten questions about human error: A new view of human factors and system safety. Mahwah, NJ: Lawrence Erlbaum Associates, Inc.
- Department of Homeland Security (2008). National Emergency Communication Plan. Rev. Aug 7, 2008.
- Hale, A., & Borys, D. (2013a). Working to rule, or working safely? Part 1: A state of the art review. Safety Science, 55, 207–221.
- Hale, A., & Borys, D. (2013b). Working to rule or working safely? Part 2: The management of safety rules and procedures. Safety Science, 55, 222–231.
- Henningsson, A. & Jacobsen, U. (2014). Olycksutredning – Skogsbrand Västmanland (dnr 2014/336 – MBR – 196).
- Hernantes, J., Rich, E., Laugé, A., Labaka, L., & Sarriegi, J. M. (2013). Learning before the storm: Modeling multiple stakeholder activities in support of crisis management, a practical case. Technological Forecasting and Social Change, 80(9), 1742-1755.
- Lundberg, A. J., & Woltjer, R. (2014). A Framework for Learning from Adaptive Performance. In C. P. Nemeth & E. Hollnagel (Eds.), Resilience Engineering in Practice, Volume 2: Becoming Resilient (pp. 79–95). Farnham, UK: Ashgate.
- McCormick, S. (2012). After the cap: Risk assessment, citizen science and disaster recovery. Ecology and Society, 17(4).
- Rankin, A., Lundberg, J., Woltjer, R., Rollenhagen, C., & Hollnagel, E. (2014a). Resilience in Everyday Operations: A Framework for Analyzing Adaptations in High-Risk Work. Journal of Cognitive Engineering and Decision Making, 8(1), 78–97. http://www.diva-portal.org/smash/get/diva2:619907/FULLTEXT01.pdf.
- Rankin, A., Lundberg, J., & Woltjer, R. (2014b). A Framework for Learning from Adaptive Performance. In C. P. Nemeth & E. Hollnagel (Eds.), Resilience Engineering in Practice, Volume 2: Becoming Resilient (pp. 79–95). Farnham, UK: Ashgate.
- Suchman, L. A. (1987). Plans and situated actions: The problem of human machine communication. New York: Cambridge University Press.
- Waugh Jr., W. L., & Straib, G. (2006). Collaboration and leadership for effective emergency management. Public Administration Review, 66(SUPPL. 1), 131-140.
"Process to train for, assess, practice and improve performance in an organization Note 1 Exercises can be used for validating policies, plans, procedures, training, equipment, and inter-organizational agreements; clarifying and training personnel in roles, responsibilities; improving individual performance and identifying opportunities for improvement; and a controlled opportunity to practice improvisation Note 2 A test is a unique and particular type of exercise, which incorporated and expectation of a pass or fail element within the goal or objectives of the exercise being planned". (Source: ISO22300)
A sequence of activities designed to produce a specified output (Source: ISO/IEC/IEEE, 2010, DARWIN D1.3, 2016)
"Person or group of people that holds a view that can affect the organization" (Source: ISO22300) "An individual or a group of individuals who are affected by, or able to affect a system. This includes developers, users, and actors." (Source: Sommerville, 2001, DARWIN D1.3, 2016).
- Training (term)
"Activities designed to facilitate the learning and development of knowledge, skill, and abilities, and to improve the performance of specific tasks or roles" (Source: ISO22300)
A workshop is a period of discussion or practical work on a particular subject in which a group of people share their knowledge or experience. (Source: https://www.collinsdictionary.com/dictionary/english/workshop).
- Parent theme: Developing and revising procedures and checklists
- Resilience abilities
- Categories: Collaboration, Planning, Procedures, Governance
- Functions of crisis management: BEFORE, Preparation, Plan for crisis, DURING, Command and control, Execute and revise plan, AFTER, Learning, Revise crisis management processes, Assess performance