OFFPHD-Offentlig sektor-ph.d.

Risk analysis/-assessment is a central tool in management and governing. In Norway, a risk assessment approach for security risks (such as terror or espionage) has been developed, published as a Norwegian standard by Standards Norway (NS 5832:14: Societal security - Protection against intentional undesirable actions - Requirements for security risk analysis). The standard triggered a debate about whether there is a need for a separate approach to risk assessment for security, or whether such analyzes can be based on approaches developed within "safety," here understood as accidents and natural disasters. The case studied consists of both the development of the standard and the debate about the standard's content. It is based on a qualitative analysis with data from interviews, documents, and ethnographic fieldwork. Part of the project studies security experts' understanding of risk and the role of risk assessment within protective security management. The case is seen as a "prism" for investigating a meeting between two traditions, namely risk and risk management on the one hand, often linked to advanced industry and economics, and on the other hand security, traditionally linked to defense and the police. In the study of security experts' understanding, Michael Power's risk management theory is utilized and further developed. Several dimensions or "logics" are identified, characterizing today's risk management. Risk management is both about developing knowledge about the future (1), optimizing resources (2), management systems and responsibilities (3), and protecting assets (“values”) (4). The four logics are used to analyze the security experts' understanding and identifies a number of tensions. A central disagreement among the experts pertains to the role and use of probability in security risk assessments. The investigation identifies that probability has two "roles" when determining risk; generating knowledge about the future (1), but also moderate risk (2). The survey finds that those who are critical of expressing probability argue with the first role in mind, while those who believe that probability should be expressed and considered are most concerned with the second role. The study also identifies a tension pertaining to time and expectations of different assessments before and after an incident. Before an incident, a risk assessment is expected to contribute to identifying risks (uncertain knowledge) and balancing different considerations against each other (optimization under uncertainty). After an incident, however, the focus is expected to be on lack of protection and responsibility for this, which may lead to criticism. In the second part, the standardization process is studied, analyzed as a policy process in three phases. The “Multiple Streams Approach," a key theory within policy process analysis, is both utilized and further developed as a theoretical framework. The process consisted of a first phase, which took place within the public sector, where the risk assessment approach is presented in a guideline on protection against terrorism (National Security Authority, Norwegian Police Security Agency and Norwegian Police Directorate, 2010). Phase 2 consisted of the standardization process under the jurisdiction of Standards Norway, while the discussion that came after the standard was issued is defined as the third phase of the process. The study shows that both policy entrepreneurs and institutional context (especially which rules apply for decision-making) had an impact on the outcome in the various phases. The term "institutional deficit" is introduced to describe a possible structural gap in the standardization process, between the ability to produce rule-like products (standards) and the ability to take responsibility for the content of the standards.

Prosjektet vil bidra med kompetanseheving innen risikostyring og forebyggende sikkerhetsarbeid, både i departementet og relevante fagmiljøer. Det vil kunne bidra til bedre policy-utvikling på området. Det vil også bidra til økt kunnskap om standardisering som forvaltningspolitisk virkemiddel.

Det stilles krav til risikoanalyser i offentlige virksomheter på alle nivåer i forvaltningen. Det er vanlig å dele risiko inn i utilsiktede hendelser (ikke intenderte, som uhell eller naturkatastrofer) og tilsiktede handlinger (menneskeskapte og intenderte, som terrorhandlinger eller spionasje). Tradisjonelt har både tilsiktede og utilsiktede hendelser blitt vurdert i risikoanalyser. En slik tilnærming er forankret i etablert metodisk praksis (ISO 31000, NS 5814:2008). Det har de senere år blitt utviklet en annen metodikk knyttet til risikoanalyser for tilsiktede uønskede handlinger (sikringsrisiko). Norsk standard har utarbeidet en egen standardserie for sikringsrisiko basert på denne tilnærmingen, omtalt som 5830-serien. Utviklingen av sikringsrisikometodikken har resultert i at det eksisterer to ulike metodiske rammeverk, inkludert to norske standarder, som begge skal brukes til risikoanalyser og risikostyring. Et sentralt formål med prosjektet er å vurdere hva som forklarer utviklingen av en egen standard for risikoanalyse for tilsiktede uønskede handlinger i Norge (NS 5832) og hvilken betydning standardiseringen har fått for diskursen om risikoanalyse og for relevante offentlige beslutningsprosesser, og beslutningsprosesser hos eiere av kritiske samfunnsfunksjoner. Et mål med prosjektet er å få et bedre kunnskapsgrunnlag knyttet til metodikk for risikoanalyser, både generelt og rettet mot tilsiktede handlinger. Dette inkluderer økt kunnskap om hvordan risikoanalysene brukes i beslutningsprosesser og eventuelle konsekvenser av metodisk tilnærming for anbefalinger og beslutninger. Det er også et mål å få belyst standardiseringsprosessen rettet mot risikoanalyser.