The process of integrating risk management – usefulness, standardisation and adaptation

: In this paper we analyse how a municipality set out to integrate risk management throughout an organization with more than 9,000 employees in six divisions and over 100 sub-units. An objective was to ensure coherence in risk management related work conducted in various sub-units in the municipality. Being forerunners, those involved had to find their own way. We identify three focus areas of importance in the integration process: usefulness, standardisation and adaptation. We describe and discuss the activities within these focus areas, and their value to the integration process. We collected the data in this study over a six-year period. The period encompasses the development from intention, where only a few people were involved, to realisation in divisions and sub-units. The study is delimited to risk management related to safeguarding the population.


Introduction
Risk management (RM) concerns gaining knowledge about and handling risks to avoid accidents and harm (Renn 2008;Rausand and Bouwer Utne, 2009).Aven (2008:6) defines RM as 'all measures and activities carried out to manage risk'.RM typically includes measures and activities like risk analyses, contingency plans, exercises and evaluating and implementing options that could reduce risks.
RM is elaborated in general frameworks like ISO 31000, the IRGC Risk Governanceframework and the RM framework of Rasmussen based on systems thinking (International Organization for Standardization, 2018;Renn, 2005;Rasmussen, 1997;Cassano-Piche et al., 2009).These framework prescriptions may need to be customized when used (Lampel et al., 2014).
The starting point of our study is related: employees in the emergency preparedness staff found known RM prescriptions not fully suited for integrating typical RM measures and activities throughout the diverse organisation.The intention was to create coherence in RM to improve management and handling of risks.This coherence constitutes what we in this paper refer to as a risk management system (RMS): an overall system connecting components to be used in the entire organisation.The research question discussed in this paper is how this long-lasting process of integration took place.
Data collection spanned six years, which provides an opportunity to study development from intention to realisation.This paper contributes to RM studies by identifying three focus areas of importance in the integration process.It also provides some learning points of general interest regarding the integration process.
The study is delimited to RM related to the municipalities' responsibility to safeguard the population.The risk domain emphasizes the importance of successful implementation of RM.Mainly based on Fullan (2007) implementation is the process of putting into action new measures and activities in an organisation, for instance risk analyses.
However, we prefer to use the term 'integration' based on a scholarly perspective emphasising the desired outcome of implementation (Sandford and Moulton, 2015).Here integration implies that implemented measures and activities become institutionalized, being incorporated in routines, practices, and areas of responsibilities.

The empirical context
Norwegian municipalities offer a wide range of important services at the local level, like education, care, cultural activities, fire protection, environmental issues, infrastructure, renovation, and spatial planning (Sandberg, 2005;Ministry of Government and Modernisation, 2015).The Norwegian Civil Protection Act and associated secondary law from 2011 address municipal obligations ensuring safety within all areas of responsibility and at all administrative levels.In addition, legislation in various sectors regulates municipalities.Internal control is the superstructure; the municipalities must themselves ensure the follow-up of legal requirements.Also, regulatory authorities control the municipalities' follow-up.
The Civil Protection Act and secondary law require a comprehensive risk-and vulnerability analysis, an emergency preparedness plan, long-term and strategic planning, exercises, and that the municipality works systematically and holistically with safety across municipal sector-lines (Norwegian Directorate for Civil Protection, 2018).The legislation does not instruct in detail on how to fulfil the stated requirements (Baldwin et al., 2012).In Norway this legal trait is called function-based regulation.Here, managers have the latitude to make their own arrangements suited to their local context and situation.
The municipality in the study had more than 9,000 employees in six divisions and over 100 sub-units at the next two organisational levels.The municipality had an emergency preparedness staff managed by a head of emergency preparedness.The staff consisted of two employees at the start of the study, but the number had tripled when our study terminated.
The staff was subordinate to a division.The division head was part of the top management team, a team that also included the chief municipal executive.The head of the emergency preparedness staff and members of the top management team participated in a crisis management team.The team handled severe adverse events at a strategic level.

Theoretical framework
We presented the terms RM and RMS in the introduction.Now, we will make excerpts from classic and newer theoreticians within planning and organizational learning, as it can shed light on analysing an integration process directed at building competence in the organisation in a structured manner.Further, we will use a spiral of exploration and exploitation as the superstructure for discussing the value of identified focus areas of importance to the integration process: usefulness, standardisation and adaptation.Inspired by Fain et al. (2018), the spiral illustrates the continuous interchange between exploration and exploitation as an advanced, nuanced and iterative process.The arrow-like shape of our figure 1 emphasizes that the movement between exploration and exploitation does not go back to the initial start but moves on in a continuous process.The focus areas are intertwined in this spiral.We introduce them in the exploration-sub-section.

March focuses on balancing resources spent on exploring possibilities versus
exploiting what is already known (March, 1991;Selmer-Anderssen and Karlsen, 2016).
Since then, many scholars have studied how organisations manage to balance exploration and exploitation (Choi and Chandler, 2015;Raisch and Zimmermann, 2017).Choi and Chandler (2015) conceptualized the meaning of exploitation and exploration analysing innovation in the public sector.Here, exploration is boundary-spanning activities.
Exploitation is refinement.It implies learning withing a given boundary.The conceptualization is suitable for the purpose of our paper as well.Nooteboom (2000) illustrates the coherence of exploration and exploitation as a cycle.
We think his presentation about learning new insights serves our study as well: "The basic idea is that new meanings, ideas, and competencies are generated from practice across a variety of contexts.In order to explore novelty, one must exhaust present practice: accumulate incentives for, as well as directions of change, experimenting with minor change to build up to major change" (Nooteboom, 2000: 188).March (1991) lists several elements in exploration, like search, experimentation, and flexibility.Designing mini laboratories can be a way of exploring how to develop and include new ideas in an organisation and fill them with suitable content (Nooteboom, 2000).This trial-and-error activity enhances emerging solutions.In this process, there is room for failures.It is part of a creative process, playing with different ideas.Autonomy in self-organising groups can be a way to experiment to develop locally suited solutions.

Exploration and the focus areas
Complex problems need handling from different angles (perspectives) and interaction.
A way to handle complexity is to break down into smaller parts and test them, described by Lindblom (1979) as disjointed incrementalism.
Through testing and rejecting of ideas, the most suitable solution can be selected and further exploited.We can connect this to usefulness; if a practice is not relevant it will not spread further in the organisation but be rejected.Analogously, Rasmussen (1997) states that laws are not followed in detail if not relevant; the users must find them meaningful.Lee and Kho (2001) relate meaningfulness to how employees find their work relevant according to own values and ideas.Meaningful processes can empower participants and strengthen their commitments, as Nilsen (2008) found when studying the use of adjusted risk analysis tools for municipal activities.Perry and Lindell (2003), correspondingly stress that, even in the pivotal matter of safe communities, practices and planning depend on motivation, skills, and resources.Both human and financial resources constitute a foundation for RM in organisations (Klinke and Renn, 2012).
Exploration is, among other things, about discovery (March, 1991).Resources might be invested to create new solutions.Also, it might be about finding existing solutions, like standards or other standardised measures.Standardisation is one of the coordination mechanisms in organisations.Mintzberg (2014) lists different types of standardisations: standardisation of work processes, outputs, skills, and norms.Complicated organisational work favours standardisation (ibid.).In standardisation Bettis and Prahalad's (1995) ideas of the dominant logic are prevalent: to consolidate the new content from exploration, reach a common understanding and to fit it into new practices in accordance with the organisation.Olsen et al. (2020) show that standardisation within risk issues plays an increasing role in risk management and governance across sectors and institutional frameworks.
Standardisation and standards can provide uniformity and recipes for what risk managers should do (Brunsson, 2000;Brunsson and Jacobsson, 2000;Olsen, 2020a).However, Olsen (2020b, p. 279) stresses that semi-professional analysts might take standards for granted.They do not necessarily fit a local specific context.Standards might need to be translated into the context.Translation can result in a variety of practices (ibid.)which for instance could hamper the comparison for risk assessments between organisations or sub-units.Another issue is the indication of reduced motivation to conduct tasks like risk assessments when the level of standardisation is high (Tehler et al. 2020).Standardisation as a coordination mechanism has limitations too.When the situation is too complicated, interaction between actors is required (Mintzberg, 2014;Olsen et.al, 2020).For an indepth study of benefits and drawbacks when standardising risk management, see Olsen et al. (2020).
Adaptations of practice can be incremental, building on ongoing experiences and changing if unforeseen incidents occur (Lindblom, 1959(Lindblom, ,1979)).Incrementalism allows for the building of knowledge, not as a fixed body, but as an ongoing process (Heazle, 2013).Heazle (ibid.)analysed the use of incrementalism in Australian disaster management.Unlike existing "predict then act" approaches, an incremental approach to adaptation depends on developing better understanding of how and why adverse events become disasters.Like double loop learning (Argyris, 1977), it is about finding out what the underlying problems are and being able to change direction (invent new solutions) before adverse events happen.Adaptation allows for flexibility, for instance implementing new practices in new contexts (Nooteboom, 2000).Adaptation takes place in a movement between exploration and exploitation, as illustrated in figure 1.
The constant movement between explore and exploit can also be found in elements from action learning, where learning and doing go hand in hand.It is a continuous process of "learning to do by knowing and to know by doing" (McLelland and Dewey, 1889, p. 182).In this process reflection upon action is a way to find new solutions or to refine or reject actions if they are not suited (Schön, 1991).The principles of action learning are highly relevant in risk management planning.Risks are often unpredictable and difficult to foresee and therefore there is need for adjustments.Perry and Lindell (2003) stress the importance of addressing emergency planning (RM activities like risk analyses, emergency preparedness plans and exercises) as a dynamic and constantly ongoing process.A written plan is just a snapshot in time.In our understanding they have elements of emergent planning and incrementalism due to the emphasis on back-and-forth movement between the written plan and the ongoing adaptation.They emphasize flexibility to tackle different kind of situations and an understanding of leading principles rather than a specific and detailed plan.

Exploitation
Some ideas from exploration are found useful in the organisational context and followed up through exploitation.The chosen ideas have to be filled with content and fitted into organisational practice by testing, whilst some ideas are underdeveloped and need to be refined (March, 1991).
The notion from action learning; "knowing by doing" (McLelland and Dewey, 1889) is suited in the exploitation category.To be efficient and execute tasks in the organisation, there is need for common knowledge.On the other hand, if an organisation is too constant, only executing tasks and not reflecting on them, it is difficult to meet changes.

The pitfalls-chaos or inertia
The unbalanced pursuit of exploration and exploitation can result in negative consequences (Choi and Chandler, 2015).
In exploration, chaos is a pitfall (Nooteboom, 2000).For instance, there might be multiple deviations from a template issued to ensure uniformity of outputs.March (1991) also emphasizes that experimentation can result in many underdeveloped ideas that give no benefit to organisations.Put differently, there is a lot of talk but no action.Lindblom (1959) describes it as ill-considered analysis, often with bumbling incompetence.
The pitfall of exploitation is to experience inertia (Nooteboom, 2000).You might for example stick to your successes, preventing further development.Choi and Chandler (2015) refer to this as the success trap.March (1991) describes the pitfall as suboptimal stable equilibria, like a status quo.You can then take small steps, starting to explore new solutions.

Some experience from newer research
The challenge for organisations is to find a balance between exploration and exploitation.
It depends on the aim of, and the context for, the organisation.Choi and Chandler (2015) have presented a conceptual framework of exploration and exploitation in public sector and reflected on public organisations' capability and challenge to explore new knowledge in addition to taking care of day-to-day services.They present some empirical cases of this dilemma, showing that public services can contribute with innovative ideas and can function as a laboratory for new ideas.New Nordic research about reforms in the public sector shows the Nordic countries as "active and eager reformers", in contrast to earlier studies (Greve et al., 2016:125).

Method
This is a longitudinal study that took place over six years.The outset was a report written by one of the authors concerning RM in a municipal setting based on the new Civil Protection Act.In 2011 the author gathered data in several organisations.One of the municipalities had plans regarding a RM pioneer process.The aim was to integrate RM as part of the responsibility in all main organisational units in a larger municipality in Norway.We interviewed the one in charge of the process in the municipality again in 2013 and in 2016, wanting to learn from their experience and conduct a new study.
Case studies provide the desired possibility for more in-depth inquiries.We chose a single case study, given our interest in that organisation.We required additional sources of information as the process developed.The opportunity to do this presented itself in 2017.
The process of integrating RM in all divisions was not fully determined and planned in detail when it started.Therefore, we deemed an explorative research design most suited when seeking insights into a novel process.At first, we were mainly interested in a description of how the integration process was conducted and what the organisation wanted to integrate.Later, as we gained more insight, our interest altered to what we refer to as focus areas in the integration process.
Our main data sources were the municipality's internal templates, guidelines and examples posted on the intranet, descriptions of the content of internal courses and printed risk-and vulnerability analyses and emergency-and preparedness plans.Two reports provided additional information: an external audit of the emergency and preparedness work in the largest sub-unit in the municipality, and the County Governor's supervisory audit from 2016.Here the auditors´ appraised the present status of emergency preparedness work in the municipality.We could identify and verify whether key RM issues were effectuated or not using the written material.The material also corroborates the three focus areas of our findings: usefulness, standardisation and adaptation.
We interviewed nine municipal informants once to gain additional information about the integration process.These interviews focused on training and role in the integration scheme.Most of these informants also provided information about the process at the time the interviews took place and the process in retrospect.
We placed emphasis on formal roles in the integration of RM when selecting municipal informants.We required diversity among the informants as the process involved the entire organisation.Therefore, the informants represent a variety of roles in the process, having hands-on RM tasks either as leaders (including the one in charge of the integration process who was head of the emergency preparedness staff) (4), contingency coordinators (3), staff member providing education (1), staff member in the emergency preparedness staff (1) or those otherwise executing RM related tasks (1).Personnel in the emergency preparedness staff advised us when picking out representatives among those with similar roles.Two factors were relevant: 1) availability at the time of data collection 2) involvement during the entire process.Everyone invited to interviews agreed to attend.
By establishing intervals for data collection every few years, we gathered up-to-date information about intentions, progress and changes undertaken in the long-lasting process.
We also interviewed three external informants: a provider of a municipal seminar and two representatives from national and regional authorities.The latter informed about regulatory requirements.
We recorded and transcribed the fourteen semi-structured and one open-ended interviews.Informants and interviewer met in person.
The integration process was not entirely completed at the end of our study.The process was not a formal project with deadlines and a defined completion date.Even so, we find that the process from the second half of 2011 to the summer of 2017 provided sufficient data for our study.
The methodological approach arguably contributes to internal validity, i.e. trustworthy findings.We find that the collected data are relevant according to the research questions, ensuring data validity.Further, choice of key informants and triangulation of data sources achieves data reliability.To interpret the data sets, we employed qualitative content analysis.A conventional approach suited the research questions.We organised texts into content categories derived from the data.However, we had prior theoretical and practical knowledge in the field, most likely influencing our perspective.We used an interpretive analytical approach.
We presented the identified focus areas to a key informant afterwards, serving as a validity check.
As this is an exploratory study, we do not propose external validity, i.e. that the findings are transferable to other settings.However, we find that the process provides some learning points of interest.They are presented in the conclusion.

The starting point
The first idea of integrating RM related measures and activities throughout the The idea was to build a knowledge base for RM.The integration process lasted several years.
Our analysis finds that the integration process consisted of three focus areas.The tripartite presentation of results reflects that.Our reference to informants reflects that the one in charge of the process was the one with first-hand information about intentions and steps taken from idea to realisation.

Focus on usefulness
The top management had a two-folded motivation for integrating RM: the risk profile in the municipal area of responsibility and acknowledging a need for improvement regarding management and handling of risks.Legal minimum requirements were not an issue per se.
According to the person in charge of the integration process, no relevant government guidelines applied the concepts RM or RMS (often used interchangeably during the integration process) to a municipal setting.Also, the informant did not know of other municipal examples to learn from.The concepts were used in other industries, but the informant did not deem the practice as directly transferable to public administration.
Hence, it was necessary to make the concepts intelligible; to provide them with meaningful content suited for their organisation and their integration process.An understanding of what RM was all about in the municipality evolved among employees throughout the organisation as time passed: it was measures like risk analyses and emergency preparedness plans.A member of the emergency preparedness staff stated that reactions like: "Risk analyses?I know, it looks like that."became more common.As to RMS, several informants explain it quite similarly: about putting constituent components together to manage the risks, about vertical and horizontal interaction.
The informant in charge of the process expressed a concern about time spent: "I fear that if we decide to carry out risk management within a set date, and the foundation is not in place, then it won't work.It might appear as risk management.
But we don't want it like that; we want to proceed slowly but surely." Concerns about integrating RM in haste, and consequently lacking the requisite foundation, seem unfounded in retrospect.

Standardisation
The idea from the outset was two-fold: to build competence in risk-related subjects and to ensure propagation of competence in the municipality.This would in sum provide knowledge and thereby enhance RM.They did not start from scratch.Municipal managers had been offered internal management courses for many years on a regular basis.The courses included many subjects, i.a.health, security and environment (HSE) and contingencies.
Top management decided on a three-step approach.They developed a plan for education and funded it in the 2012 economy plan.The first step was to offer internal basic 7-hour e-learning and a one-day follow up practical course in risk analyses.The target group was managers from various levels of the organisation, typically a head teacher or a kindergarten director, and other members of staff with responsibility for riskrelated topics.The next step was a university course in risk analyses for a few selected employees from various sub-sections of the organisation (conducted in 2013 only).
During the course, the participants conducted municipal risk analyses within their area of responsibility.The third step was a university course in RM.This three-step approach was insufficient to integrate RM throughout the municipality, and was corrected, as we will elaborate in the next sub-section.
The courses provided standard competence across organisational boundaries.
However, this standardisation was oriented at serving the distinctive characteristics and needs of divisions and sub-units.The training scheme gave the municipality a basis for RM, one of the leaders said.In addition, written guidelines, templates, and a collection of examples were issued.This was considered necessary to establish a homogeneous picture of risk within each sector of liability.However, such standardisation was hard to achieve.Risk assessments varied between sub-units.For instance, abusiveness could be listed as a risk in one sub-unit, and not even be considered in another.
The three divisions that provided public services had a contingency coordinator each (three in total).Their function was of great importance in the integration process.They were employees assigned coordination tasks in the divisions where they worked.The divisions had many sub-units.The contingency coordinators followed up initiatives from the emergency preparedness staff, conducting risk and vulnerability analyses and emergency preparedness plans for their divisions, assisted by personnel from the emergency preparedness staff."We have to train the trainers", an employee in the emergency preparedness staff explained.The contingency coordinators did not have stand-ins, and they had other tasks as well, therefore the functions were vulnerable.
However, the work in the divisions was ongoing.The main elements in RM (risk analyses, emergency preparedness plans and exercises) were handled in a routine manner.
The contingency coordinators participated in monthly drop-in meetings with the emergency preparedness staff.Before 2017, contingency coordinators had no qualification requirements in emergency matters, but such requirements were imposed later.
To sum up, standardisation was part of the integration process.Templates were used to standardise work processes and outputs.The training scheme provided standardised skills.Also, by raising awareness of the importance of RM, management aimed to influence norms.However, one of the contingency coordinators moderated the importance of standardisation: "As long as everybody has managed to make risk analyses in their own way, then the channel of thought regarding safety and security is present."[…] 'They have executed a piece of work in their own way.I think that is cardinal." As we will see, the third focus area, adaptation, supports this view.

Adaptation
Effectuated measures were adapted during the integration process.This is most apparent in the course activities in RM related issues.The initial three-step approach had to be adjusted, because as time passed it turned out that the first step, the basic two-day risk analysis course, was too challenging for the target group.A simplified and less timeconsuming 2-hour course in risk analysis was offered.This course, which was supplemented with written guidelines and templates that were easily available on the intranet, was considered sufficient for many lower managers in the municipality.The simplified course was preparatory to the more extended courses in risk analysis for those aspiring for more knowledge.A plan they had regarding formal education within the risk domain after the first university course was also abandoned.It took too long in proportion to an intention of distributing and enhancing risk-related knowledge in the organisation.
A few years later the internal e-course and one-day course in risk analysis still endured, but a new approach also emerged: a 3-step internal course containing risk analysis, emergency preparedness plans and emergency preparedness exercises.The courses were scheduled to run on a regular with representatives from all sub-units.
In our opinion, the described shift in the training scheme indicates a turning point in the integration process: downsizing rather ambitious in-depth courses and formal education for a handful of participants to core activities for the many.It is a turning point because propagation of relevant competence clearly was considered important to the integration of RM throughout the municipality.
Those who worked with emergency preparedness in the contexts of division and subunits could, and did, adapt templates and acquired competence for their local context.The templates had to be tailor-made to make sense, because of variation in areas of responsibility throughout the organisation.The emergency coordinators were, of course, particularly important in such a phase.By adapting, they ensured that elements from RM were found useful at the local levels.A contingency coordinator summarized the benefits of templates and guidelines for those who had to make analyses and plans: "It is not that complicated then.You don't spend that much time.And you adapt it to your own sub-unit." For instance, a kindergarten template covered risk assessments before going on a trip.
In social services, a template described violent behaviour of clients and the risk for employees and others.Further, there are examples of how to conduct different kinds of exercises fitted for the different sectors.Another template elaborated how to behave if there is a school shooting, but specific details had to be added by personnel at each school.
Regardless of the templates, the sub-units could in principle model (i.e.adapt) their analyses and plans at their convenience.

An external perspective
Two external audits represented an external perspective on what the municipality had achieved.First, the County Governor conducted an audit of the municipality in 2016.The aim of the assessment visits was to see if the civil law and associated second law were followed.The interviews were with the top level, the emergency preparedness staff, and the three contingency coordinators at the division level.The auditor´s main impression was that the municipality prioritised the work with emergency and safety and had a plan for extensive competence-building.They found no deviation from the law.
Secondly, an external audit company offering audits to ensure quality in public service, assessed contingency matters in the largest division in the municipality, both in 2014 and 2016.The auditor sent the same questionnaire both times, to be able to compare and assess development.A conclusion was that risk analyses and emergency preparedness plans were mostly in place.Further, there was some lack of regular and widespread exercises, and oral instead of written exercise evaluations.The main finding was that the work with contingency improved from 2014 to 2016.

Discussion
We have presented three focus areas of importance to the integration process: usefulness, standardisation and adaptation.Now we will discuss their pros and cons related to the integration process and to RM.Then, we offer some reflections on integration of RM, the spiral of exploration and exploitation and suggest further research.

Usefulness as core value
Usefulness permeates the process of integrating RM in the municipality.It is a core value functioning as a leading star.To have or not to have a value is not a question of pros and cons, but rather how it entails the process.Hardly any organization has "not useful" as a value.
The value-oriented process our case illustrates, highlighting useful improvements of RM capabilities, arguably appeals to common sense.Further, usefulness entails relevant, meaningful, updated, commonsensical and practical measures and assessments well suited to the organisation in the study.All these elements can be helpful when advocating the necessity of integrating RM throughout an organisation (Lee and Koh, 2001;Nilsen, 2008;Perry and Lindell, 2003).Usefulness in this case implies both a safer community and an integration process that can adapt when needed.In our understanding the establishment of usefulness as a core value and making RM concepts intelligible and meaningful, establishing some sort of dominant logic (Bettis and Prahalad, 1995), were pivotal in the initial phase of exploration.
Notably, legal compliance is not a contrasting dichotomy implying not useful or insufficient RM.Not complying might undermine safety and security, for instance if missing out important requirements.In a function-based regulation regime, risk managers have the leeway to integrate useful RM, as long as requirements are met (Baldwin et al., 2012).The point made by Rasmussen (1997) of people not following in detail laws they found meaningless, is not an issue in our case.Still, Rasmussen´s point emphasizes the significance of perceived usefulness as a positive factor both in regulation and in the integration process.
The integration of elements that constitute RMS did not start from scratch.Some recipes existed, like risk and vulnerability analyses, emergency plans and exercises.Here we see that the starting point of an exploration and exploitation spiral is not clear cut.
Either way, the change was to make this into a complete system and integrated knowledge.Trying different solutions in a trial-and-error process enabled those involved in our case to choose suitable solutions (March, 1991;Lindblom 1959;1979;Nooteboom, 2000;Schön 1991).We see it as a pragmatic and commonsensical reflection amongst practitioners (Schön, 1991) connected to the core value of usefulness.
The importance of usefulness has parallels in some of the research on public reforms in the Nordic countries, that "Usefulness for society is highly valued" and performance orientation was common (Greve et al., 2016:203).

Standardisation as measure and aim
A process of integrating RM throughout the many sub-units in the municipality is complicated organisational work.Considering that an intention was to create coherence, constituting an overall RMS connecting RM-components, the use of standardisation as a coordination mechanism is as expected (Mintzberg, 2014).
Standardised measures often involve wide-spread distribution or many actors.In our case a multitude of employees gained knowledge in an effective manner via internal courses, templates etc.The established common ground was important to disseminate RM throughout divisions and sub-units.The standardised measures provided knowledge, examples to learn from and recognizable practices (Brunsson, 2000;Brunsson and Jacobsson, 2000;Olsen, 2020a).
The level of standardisation becomes an issue as perceived usefulness is important to the work of those involved in the integration process (Lee and Koh, 2001;Nilsen, 2008;Perry and Lindell, 2003;Rasmussen, 1997), as the overlap of focus areas in figure 1 illustrates.Also, the need for strict coherence must be balanced with other objectives, like safeguarding the motivation of employees (Tehler et al., 2020).We found the balance between the level of standardisation and usefulness to be well functioning.This may be due to the orientation of the standardisation: serving the distinct characteristics and needs of divisions and sub-units.For instance, seminars were restructured to fit the target group.
Standardisation was not only a measure, but also an aim per se: the intention of easily being able to aggregate or combine standardised risk assessments into one comprehensive risk profile.Tehler et al. (2020) show that standardisation might facilitate a combination of risk information from various sources.In our study object standardisation probably was not strict enough to attain such an aim.It seems like standardisation as a measure to propagate RM throughout the municipality had higher priority.Also, municipal standards (typically templates) were translated and adapted to the contexts of divisions and subunits, as standards might be (Olsen, 2020b).(Figure 1 illustrates overlaps between the focus areas.)Notably, Olsen (2020b) stresses that interpretation of context is the main challenge when applying RM standards.It is because a context for handling risk problems i.a. can be characterised by complexity and actors with different perceptions.In our opinion that challenge was addressed in the integration process, by allowing to adapt to the distinctive characteristics of the sub-units.
The translation made the recipes more useful in division and sub-units, resulting in a variety of practices.However, the variety weakened assessable comparisons between division and sub-units.Consequently, when standardisation is missing, there can be a lack of knowledge on how to put piecemeal information together in a coherent way.
We hold standardisation as a well-functioning measure in the process.Still, in the risk domain a pivotal question is whether standardisation and standards improve safety.
According to Tehler et al. (2020) few empirical studies have investigated that question.
Our study does not provide an answer, but the question is addressed under the sub-section of further research.

The importance of adaptation
The results show that both the integration process and process-related RM measures were adapted.
Adaptation of standardised RM measures can be appropriate because one size does not fit all (Olsen, 2020b;Lampland and Star, 2009).Earlier, we discussed the possibility of too strict standardisation impacting empowerment and motivation.That pitfall was avoided during the integration process as adaptation was allowed.The results show that adaptation was mainly about achieving useful RM measures suited to the specific context.
Incidentally, we note that the weighting of simplification in the evolving training scheme contributed in a positive manner.
Adaptation and the autonomy of the work in divisions and sub-sections could end in a chaos of contrasting ideas or local solutions that do not fit into a comprehensive RMS (Nooteboom, 2000).We think this pitfall was avoided due to an incremental approach of learning by doing and reflecting on progress (Argyris, 1977;Lindblom, 1959;1979;Schön, 1991).Such an incremental approach was arguably well suited for two reasons.
First, the managers responsible for the integration process had to find their way.This is a typical trait in the function-based regulation the municipality was subject to (Baldwin et al., 2012).Still, it was particularly salient in a situation without context-relevant examples to learn from.The incremental approach, testing and adapting in unknown territory, seems necessary.The function-based regulation provided leeway, allowing adaptation to reality and norms.
Second, a stepwise approach did not alter emergency preparedness capabilities in dramatic ways.Mistakes could quite easily be corrected.This also emphasises that balancing exploration and exploitation, the two core elements in the learning models of March (1991), is context dependent.Exploration involves risk-taking and experimentation (ibid.)and can be detrimental.It is hardly acceptable to jeopardize the safety of a community when a stepwise approach and refinement is sufficient.
There is a challenging aspect of an incremental approach as well: testing, failing, and retesting is time demanding.The approach therefore requires considerable resources.
Still, some RM measures, like contingency plans, might need to adapt frequently or swift.
Then, there is not necessarily time to test and retest before effectuating the change.

Integrating RM
As previously elaborated, the nuance between implementation and integration is important, (Fullan. 2007;Sandford and Moulton, 2015).In the risk domain the nuance is most likely of particular importance because vital values are at stake.In integration, implemented measures, like for instance exercises, become deeply rooted in the organisation.Incorporating exercises in routines, practices and areas of responsibility, increases the chances of actually carrying them out.Thus, integration most likely contributes to improved RM capabilities of essence to safety and security in society.A longitudinal study provides the chance of seeing whether praxis is integrated and found meaningful over a longer period.Based on the findings, we can label the process in our case as integrative.The process is not only about implementation of recipes, but also about integrating praxis.We found RM-related tasks, like exercises, handled in a routine manner.This development was deliberate from the start, taking the required time.
Otherwise, it might just "appear as risk management", as the one in charge of the process put it.
The municipal responsibility is extensive, therefor municipalities must make the most of their limited resources.Integrating RM requires resources (Klinke and Renn, 2012;Perry and Lindell, 2003).In general, small and middle-sized municipalities do not have these resources (i.e. the knowledge and money).They can learn from the experience of others.Still, an integration process is per se resource demanding, and a strategy of copyand-paste does not suite every organisation or their risk picture.Spending resources must be appraised.Many other tasks also require attention.A restricted implementation process appears to be more in reach.Provided a thorough understanding of why RM is important, a process without the intention of a change in praxis seems unfortunate.The actual consequences of implementing versus integrating RM measures is a candidate for further research.

The spiral of exploration and exploitation
In our analysis we found the value of usefulness and the patterns of adaptation and standardization.We find the focus areas to be intertwined between exploration and exploitation, as illustrated in figure 1.For instance, usefulness provided the frames for both exploring and exploiting ideas.Seeing the integration process in perspective, the learning traits of exploration and exploitation become apparent (March, 1991;Nooteboom, 2000).There was a continuous exchange between exploring and exploiting, as illustrated in figure 1. Ideas or measures developed when alternating between exploration and exploitation several times, as shown by the training scheme.
Notably, it seems that attention paid to the effect of measures during exploitation was pivotal in order to ensure progress, i.e. being able to reject failed measures and then find new when exploring.The context-dependent balance of March (1991) between exploration and exploitation favours exploitation in this case.It was a matter of learning by doing, reflecting on praxis and taking incremental steps (Argyris. 1977, Lindblom 1959;1979;Schön 1991).
In our opinion, this approach also explains why potential pitfalls of exploration and exploitation (Choi and Chandler, 2015;Nooteboom, 2000) were avoided.For instance, adaptation and the autonomy of divisions and sub-sections did not end in a chaos of contrasting ideas.Neither was inertia a character trait during the process.Measures found unsuited during exploitation were terminated and new or altered solutions explored.March (1991) presented this conduct as a path out of status quo.We think the description emphasizes that the spiral of exploration and exploitation moves continuously.

Further research
We conducted a longitudinal study.Also, the nuance between integration and implementation of RM measures is interesting.Is it, after all, just a matter of semantics?Likewise, it would be interesting to study the impacts of integration / implementation processes founded solely on usefulness contra compliance.

Conclusions
In this paper, we have presented how the process of integrating RM throughout a diverse organisation, a municipality, took place.We identified three focus areas that characterize the integration process: usefulness, standardisation and adaptation.The latter two are general organisational processes.
The process was value-oriented, with usefulness as a focal point.The municipality chose an incremental approach, gaining experience and adapting the process from lessons learned.It invested considerable resources in education and courses, supplemented with guidelines and templates, providing standardisation that assisted the integration.Yet the need for standardisation was balanced with giving leeway to divisions and sub-units.This leeway also supported the focus area of usefulness to participants.Employees could conduct risk analyses and emergency preparedness plans suited to the idiosyncrasies of their divisions and sub-units.
The case includes a single organisation.The considerable resources invested, both economic and manpower, are not within reach for all organisations.However, there are some learning points of general interest.First, in the initial phase it is a matter of giving ideas and concepts intelligible content; "What is risk management to us?" Second, to work with RM, an adaptable platform of competence needs to be developed.If training should be relevant for different groups, it must be adapted to the target groups and their working environments.Third, focusing on the added value to the organisation seems beneficial.In our case, usefulness was established as an important value.And finally, when putting the consolidated content into action, and finding that it fails, adjustments must be allowed and given time.
In sum, the integration process must be termed as successful.The most prominent factor from our point of view is the incremental approach and taking the time necessary to benefit from such an approach.
municipality dates to 2010.It was a top-down initiative from the head of the emergency preparedness staff and the top management.As a first step, the top management team and all members of the crisis management team were informed, starting with a lecture on RM by an external expert.Informants from the emergency preparedness staff assessed the context for presenting RM as a topic of relevance throughout the organisation as challenging at the start, because RM was considered as their responsibility.However, adverse events nationally and locally raised awareness among municipal employees and politicians.The 22 nd July terrorist attack in Norway in 2011 killing 77 people was a focusing event contributing to an awakening regarding exposure to risks.In the municipality, the management team of the chief municipal executive discussed the evaluation of the attack.Based on that, financial resources (1 million NOK) were allocated for the process of integrating RM in the aftermath of the terrorist attack.RM should be part of the daily routine throughout the organisation.This was communicated within the municipality:"We have spent a lot of time visiting the top management and their management groups informing about why we should carry out risk and vulnerability analyses, the use of the analyses… and to bring them onboard.We have spent a lot of time and effort to inform and create an understanding of what we are doing."(Person in charge of the integration process.) It would be interesting to study further development and status in the organisation.Firstly, having spent substantial resources integrating RM, what are the focus areas in a phase of maintaining / advancing institutionalized RM measures?Secondly, what are the practical impacts of the integration process?For instance, has crisis management improved?Handling of Covid-19, crisis management involving the entire organisation, could be examined.Thirdly, what kind of learning points or generalization could another longitudinal study find compared to the learning points in our study (see conclusion)?