Standardising policy in a nonstandard way: a public/private standardisation process in Norway

Abstract Standards developed by standard-setting organisations (SSOs) – sometimes labelled private rulemaking – are part of larger practices of governance in most societies yet are underinvestigated from a policy process perspective. Utilising and developing the multiple streams approach (MSA), this article investigates a policy process moving between government and the SSO Standards Norway (SN). The study finds standardisation by SSOs to be an ambiguous institutional arrangement. Strong institutional barriers in theory did not work as such in the case investigated. This article argues that the differentiation between responsibility for process (SN) and content (committee) makes the standardisation process vulnerable. The concept of “institutional deficit” is introduced to describe a potential mismatch between SSOs producing policy in a government-like institution, but where the SSOs are not capable of taking responsibility for policies in a government-like way. This article finds the adjusted MSA useful in this potentially least likely case.


Introduction
Standards developed by standard-setting organisations (SSOs), sometimes labelled voluntary standards (Fouilleux and Loconto 2017) or private rulemaking (Weimer 2006;Büthe and Mattli 2011), are part of larger practices of governance in most societies today.SSO standards were originally technical instruments of socioeconomic coordination (Higgins and Hallström 2007), but a substantial part of what is standardised today are organisational processes (Bartley 2018), such as risk management and corporate responsibility (Rasche 2010;Aven and Ylönen 2019).Although social science has engaged with standardisation more broadly, relative to its ubiquitous development (Brunsson et al. 2012), limited scholarly attention has been paid to SSO's standardisation (Timmermans and Epstein 2010), and the knowledge is fragmented (Botzem and Dobusch 2012;Bartley 2018).Since SSOs are ruled by private law, they have largely escaped investigations from a public policy perspective.SSO standards are important for public policy, however.Regulatory work that was earlier done by the state is often produced by SSOs (Gustafsson 2020) in decentred networks of public and private actors (Ansell and Baur 2018).Standards are often intertwined with public regulation (Frankel and Højbjerg 2007;Galland 2017) and are much used as a basis for public policies (Olsen 2020).SSO's standardisation should thus be investigated from a public policy perspective.
This article presents a case study of a standardisation process in Norway, investigated as a policy process.The investigation follows the policy proposal (a risk assessment approach) as it "travels" through three empirically distinct phases: First, when three governmental agencies within the police and military developed a guideline on terrorism protection (NSM et al. 2010), including a security-risk assessment approach.Second, this approach was introduced to Standards Norway (SN), the national SSO in Norway as an option for standardisation.The initiative resulted in a Norwegian standard on security-risk assessment (Standards Norway 2014).Third, after the standard had been published, a debate unfolded among security and risk professionals and public servants about the usefulness of the approach presented in the standard (Busmundrud et al. 2015;Heyerdahl 2022aHeyerdahl , 2022b)).
The three distinct phases of the process, combined with the stable policy proposal (the security-risk assessment approach), allow for a within-case, longitudinal comparative design (Gerring 2007), investigating how different institutional contexts enable and constrain the policy process (Zahariadis 2016).The study builds on a primarily abductive logic (Timmermans and Tavory 2012;Ashworth et al. 2019), where the multiple streams approach (MSA) is utilised and further developed through engagement with empirical findings (Kingdon 2014;Herweg et al. 2018).The article asks: How can we account for the establishment of the standard utilizing an MSA perspective, and how does the different institutional contexts enable and constrain the policy process?The three phases are investigated, before the article zooms in on the institutional characteristics of standardisation by SSOs, and how it shaped the process.Prioritising SSO standardisation does not imply a "free pass" for the governmental part of the process but reflects that standardisation is underinvestigated from a policy process perspective, compared to governmental policymaking.This article also discusses the usefulness of the MSA for the case at hand.
The study contributes to our understanding of how policies (in this case a riskassessment approach) are created in flux between government and private institutions, and how such policy processes might unfold.The case constitutes a national standardisation process.Most literature studying SSOs' standardisation investigates it trans-or internationally.A national standardisation process, however, can provide insights beyond the national context.SN generally follows rules and norms for standardisation set by the International Organization for Standardization (ISO), making the case an example of such standardisation.A standardisation process in a small country like Norway is moreover relatively "simple", potentially shedding light on characteristics of standardisation that may be blurred in a more complex, international context.Finally, the national level allows for a comparison of the standardisation process with a policy process within government, contributing to cross-fertilisation between public policy perspectives and the SSO literature.
This article notes the many ambiguities of SSO standardisation and how it creates possibilities for manoeuvring.It finds that contrary to the governmental phase, the institutional structures of standardisation did not withstand pressure and could be circumvented.In theory, SN has strong institutional barriers such as a consensus requirement.The barrier did not work as such, however.Instead, an institutional restructuring was created to solve a disagreement.This article argues that the differentiation between responsibility for process (SN) and policy content (committee) makes the standardisation process vulnerable.Finding common ground with other research on SSO standardisation, this article introduces the concept of "institutional deficit:" the SSO produces policy in a government-like institution, 1 but the SSO is not structured such that it takes responsibility for policies in a government-like way.
This article contributes to the policy process literature in three ways.First, the policy process perspective enables a comparison across organisational boundaries, shedding light on the institutional construction of standardisation by SSOs and the difference to traditional, hierarchical government.Second, the study is an atypical MSA study in that the process is miniscule compared to most MSA studies, with little public exposure and with public servants and professionals as central actors.This article thus explores the MSA's ability to "travel" to a very different environment.
Third, this article further develops the MSA framework.The MSA, originally developed by Kingdon (2014), has recently been elaborated both theoretically and empirically (i.e.Cairney and Jones 2016;Herweg 2016;Shephard et al. 2021).This article builds on, and refines, the call to "bring institutions back" into the MSA theory (Zohlnhöfer et al. 2016;Sager and Thomann 2017;Reardon 2018) and investigates the link between institutional context and the policy process.Institutions are seen both as formal structures (Zohlnhöfer and Rüb 2016) and as knowledge and ideas (Schmidt 2008).The study thus responds to calls for integrating mainstream and interpretive policy studies (Durnová and Weible 2020).A second development of the MSA consists of the process streams being understood as logics, not dependent on quantitative complexity.This enables the MSA to be utilised also in small policy processes.
The standard under investigation pertained to security-risk assessment.Security refers here to risks posed by intentional, malicious acts, unlike safety risks, related to accidents and natural disasters (Jore 2019).As professional areas, security and safety come from different traditions (Pettersen Gould and Bieder 2020); security has been linked to defence and crime prevention, and safety to areas such as engineering and management.The policy in this analysis, the risk assessment approach, differs from traditional understandings of risk, where risk is presented as a combination of probability and consequence.In the risk approach investigated, risk is a combination of asset, threat, and vulnerability, without reference to probability (SN 5832;Heyerdahl 2022a).Key to the debate has been the role of probability in 1 By «government-like» we here simply refer to government being responsible for both the process and content of governmental policymaking.security-risk assessments.This is not a uniquely Norwegian question, as probabilistic risk assessment approaches to security have been debated also in other countries, such as related to US Homeland Security (National Research Council 2010;Brown and Cox 2011;Mueller and Stewart 2011).
In the next subsection, SSO standardisation is presented, followed by chapters on theory and method.The case is then investigated as three historical phases, each consisting of empirical findings and an analysis utilising the adjusted MSA framework.The influence of knowledge as a structuring institution is included at the end of the chapter.The subsequent discussion and conclusion focus on the ambiguous features of standardisation by SSOs, how this influenced the case, and how it could be interpreted.The usefulness of the MSA is discussed before we appeal for more policy-oriented research on SSO standardisation.

Standards and standardisation
Standards can be defined as rules "for common and voluntary use, decided by one or several people or organizations" (Brunsson et al. 2012, 616).Standards from SSOs differ from government regulation as they are voluntary, although they sometimes become de facto binding (Jacobsson and Brunsson 2000).Their legitimacy is intimately linked to their capacity to solve problems and improve policy, so called output legitimacy (Botzem and Dobusch 2012): Standards are assumed to be best practice, or as ISO puts it, the "formula that describes the best way of doing something : : : the distilled wisdom of people with expertise in their subject matter" (ISO n.d.; see also Jacobsen 2000).
The authority of standards also depends on trust in the standardisation process: the procedural or input legitimacy (Botzem and Dobusch 2012).Roughly, a standardisation process of the kind investigated has three key principles: 1) it is open to all relevant parties, 2) participation is voluntary, and 3) the process strives for consensus (Standards Norway 2018b; see also Wiegmann et al. 2017).Standardisation is thus an arena for deliberation and bargaining between participants.It may draw authority through its inclusiveness of a broad range of actors (Boström 2006) or by including key stakeholders (Engen 2020).This links standardisation to ideas of network governance, where private and public actors interact, aiming at what is deemed more competent, knowledge-based, problem-solving policy, either in contrast to or supplementing, traditional, public government (Torfing and Sorensen 2014;Pierre and Peters 2020).
The impact and potential coupling of public policy and SSO standardisation has been investigated, such as the delegation of authority to SSOs through EU's New Approach (Egan 1998;Borraz 2007) and investigations of government involvement in committee-based standardisation, either through "hard" or "entrepreneurial" approaches (Wiegmann et al. 2017).
SSOs are often nongovernmental, voluntary meta-organisations2 that create and publish formal, written standards (Jacobsson and Brunsson 2000;Higgins and Hallström 2007).ISO and their national member organisations are examples of committee-based standardisation (Wiegmann et al. Blind 2017).The committees settle the content of the standards, whereas the SSOs facilitate the process.At large, most committee members come from industry, a smaller part from public administration or NGOs (Gustafsson 2020).
The interest in this article is in the national SSO "Standards Norway" (SN), Norway's member of ISO and the European Committee for Standardisation (CEN).SN contributes with experts to, and participate in the governing of, ISO and CEN and is obliged by regulation for standardisation set by CEN and ISO (Standards Norway 2018b).Most standards published by SN are implementations of international or transnational standards, but sometimes it is the other way around.3SN is part of the Norwegian polity, as a national SSO is an EU requirement4 and SN is obliged to implement all CEN standards (Standards Norway 2018b).
Theoretical framework: the MSA The MSA theory draws on bounded rationality theory from organisational studies (Cohen et al. 1972;Zahariadis 2003;Kingdon 2014).Key to the MSA is the idea of three analytically independent process streams: problems, policies, and politics (Ackrill et al. 2013).Problems are conditions perceived as in need of being changed, and where government action is needed (Béland and Howlett 2016).Problems may be pressing itself upon the system, such as a crisis, or build on feedback such as from indicators (Kingdon 2014).The second process stream consists of policies presented as potential solutions.5It is the ideas and accumulation of knowledge generating policy proposals.This stream consists of, but are not limited to, expert knowledge.Ideas and policy proposals "float" around in a "policy primeval soup" and wait for the right moment to be presented as the solution to a problem (Kingdon 2014, 19;Béland 2016).Consensus building is based on persuasion (the better alternative wins through) and diffusion (ideas spread).
The political stream manifests itself in the political system, influenced by organised political forces (Kingdon 2014;Herweg et al. 2018).Consensus within this stream is built through bargaining and building coalitions.It is the "winning" and "loosing", the ability to build a majority or not, which is defining the stream.Kingdon does not mention power, but the political stream clearly includes the struggle for power (Herweg and Zahariadis 2017).Governmental actors influence processes in two ways, according to Kingdon, through change in key personnel and questions of jurisdiction or "turf" (2014).
Kingdon's theory is strongly identified with the individual agent and the concept of policy entrepreneurs (PEs) (Jabotinsky and Cohen 2019).PEs are "advocates who are willing to invest their resourcestime, energy, reputation, moneyto promote a position in return for anticipated future gain" (Kingdon 2014, 179).Successful PEs can frame the problem and present a policy alternative as a solution.PEs need to "soften up" policy communities, by educating and convincing them (Kingdon 2014).
The most sited component of the MSA is the idea of policy windows (Jones et al. 2016).A policy window is open when a problem is pressing, a solution exists, and the political conditions are such that a majority can be created.It is an opportunity for PEs to actively couple the streams (Dolan 2021), either putting an issue on the agenda or make policy decisions (Zohlnhöfer et al. 2016).
A provocative assumption in the MSA is stream independence, as it "thwarts the seemingly natural expectation that problems and solutions must be logically tied to each other" (Winkel and Leipold 2016, 110).Stream independence is empirically not always the case, it is an analytical assumption, which makes it possible to "uncover rather than assume rationality" (Herweg et al. 2018, 39).
The MSA builds on two conditions, that of ambiguity and of temporal sorting (Zahariadis 2003).Ambiguity refers to "a state of having many ways of thinking about the same circumstances or phenomena" (Feldman, cited in Zahariadis 2003, 2-3).MSA is applicable only if there is ambiguity (Zahariadis 2003), as this opens room for manoeuvring (Herweg et al. 2018) and sometimes "venue shopping" (Ackrill et al. 2013).Higher ambiguity in an institutional context increases PEs' chance of manoeuvring and utilises a policy window (Bolukbasi and Yıldırım 2022).Temporal sorting implies that time and temporal order, more than consequential considerations, are key in the decisionmaking (Cohen et al. 1972).Choices are made because of a simultaneous materialisation of factors in time, more than that these factors are inherently correlated (Zahariadis 2003).
The MSA has been criticised for neglecting the impact of institutions and structural characteristics (Cairney and Heikkila 2014;Béland 2016;Zahariadis 2016;Zohlnhöfer et al. 2016;Koebele 2021).Zohlnhöfer, Herweg, and Huß argue that especially when analysing decisionmaking, formal political institutions must be included in a systematic way, as they "define which majority will suffice and which actors need to agree to adopt a policy" (2016,250).
A different MSA literature attending to institutions goes in an ideational or discursive direction.Policy is in this view about interpreting reality, and policymaking is a struggle over interpretations (Winkel and Leipold 2016).The MSA is combined with framing theory, to investigate how PEs (Brown 2020), elite actors (Fawcett et al. 2019), or networks (Reardon 2018) frame problems and solutions to influence policy.Béland suggests knowledge regimes as a refinement of MSA, highlighting the role of institutions in mediating the impact of ideas (2016).Winkel and Leipold investigate the MSA through an interpretive lens, utilising understandings from interpretive policy analysis and discursive institutionalism (2016; Hajer and Versteeg 2005;Schmidt 2008).Here, discourse, the structure and constructs of meaning, is regarded as a decisive institutional context of policy developments (Schmidt 2010), and the policy streams are conceived of in terms of perceptions of problems, policies, and politics (Winkel and Leipold 2016).

Application and development of the MSA
This case study is an atypical MSA study; one could argue it is outside the scope of the original theory, as the case lacks involvement by politicians, interest groups, or public opinion, all key to the MSA.The actors involved in the case were public servants, participants in the standardisation process, and risk and security experts.When the MSA is still viewed as suitable, it is because of the underlying assumptions of ambiguity and analytical stream independence, enabling an investigation of how the streams shaped the process, as well as the role of actors and especially PEs for the outcomes both within each phase and across phases.The MSA needs, however, adjustment to fit the case at hand.
Kingdon regarded the empirical processes he studied as "extraordinarily complex" (2014,20), pointing to the many participants, policy ideas, etc. Complexity is linked to metaphors of scale, such as policy ideas floating in a "primeval soup".Zahariadis (2013) specifies that also issue complexity, not necessarily institutional complexity, makes the MSA useful.This article theorises that complexity and room for manoeuvring do not require quantitative complexity but can manifest itself in qualitative characteristics of the process.The streams are thus seen as different logics.The problem stream encompasses what needs to be changed, the policy stream how it should be changed, and the political stream who decides.Regarding the streams as logics detaches them from the link to specific actors or organisations.Actors can move between activities related to different streams and have an impact across streams.This moves the analysis in an interpretative direction (Weible and Schlager 2016).For the policy stream to be active, it also does not have to be quantities of ideas, such as with a "primeval soup".Only that at least one policy idea exists about how something should be changed.
There are fewer pregiven criteria to rely on when the streams are seen as logics.The analysis thus rests on interpretations of reasoning and actions within institutional contexts, such as the content of a discourse (i.e. did they discuss what the problem is, did they argue in favour of a certain policy, or how to solve a disagreement?),but also what influenced the process (i.e. a single veto-power's decision).See also method section below.
A second adjustment of the MSA is that the present article attends to institutional contexts in two ways, reflecting theoretical developments described above.First, formal institutional structures are linked to the political stream (Zohlnhöfer et al. 2016).Institutions "define the rules of the political game, and as such they define who can play and how they play" (Steinmo 2015, 181).Crucially in this article, they decide veto possibilities (Thelen and Mahoney 2010).
Second, the professional background and knowledge of those involved in the different phases shape how problems are framed, which policy proposals can be communicated about and how.This builds on insights of how discourse shape, and is shaped, in a policy process.Table 1 summarises the analytical framework.

Method and data
The case study builds on abduction, where a "situational fit" between observed facts and theory is searched for (Alvesson and Sköldberg 2018;Ashworth et al. 2019).Key to the abductive process is the refinement of theories when existing theories are unable to frame findings (Timmermans and Tavory 2012).The analytical framework is thus developed during the study, and "tested" in part against new data, but also through revisiting old data in a back-and-forth process.
This article is based on a case study of the establishment of a standard in Norway (2006Norway ( -2018)), studied as a policy process.The investigation starts with an initiative to coordinate two governmental guidelines and ends when the standard had been in place for some time, and the controversy had "faded".The study compares three phases with distinctly different institutional arrangements.This enables a withincase, longitudinal comparative design (Gerring 2007).
Very little is known about national standardisation processes by SSOs from a social science perspective, and it is thus hard to know what type of case this is in the larger universe of national SSO standardisation processes (Ragin and Becker 1992;Levy 2008).The study is thus exploratory, aiming at analytical insights.As an MSA study, it can be viewed as a least likely case (Levy 2008).This article thus explores the theory's ability to "travel", its ability to "make sense" or "sensitise" (Blumer 1954;Timmermans and Tavory 2012) in a very different environment.
The data used are primarily documents (government archives, reports, popular and academic writing) and interviews. 6Of a more supplementary nature is fieldwork at a standardisation course,7 webpages (blogs, newspaper, advertisement), and audio recordings from a conference (FFI 2015).
The interview data consist of 40 transcribed interviews with 34 people from the government, the private sector, SN, and academic/research institutions, selected through a combination of strategic and snowball sampling, see Table 2. Nine of the interviews were conducted by Busmundrud et al, with verified interview summaries included in an appendix (2015).The other interviews were conducted by the present author (2018)(2019)(2020)(2021).The interviews were in-depth, mostly face-to-face, and semistructured, with thematic questions allowing for flexibility and dialogue.Interviews are anonymised to encourage an open dialogue.In all the phases, interview is a key data source.In the first phase, documents (letters, minutes, notes and drafts) archived by the Ministry of Justice and Public Security are also central.In the second phase, interviews are the main data source.The third phase builds on a combination of written material and interviews.In general, there is high coherence between the various descriptions/data sources.
Interviews and key documents were coded in Nvivo, with memos supplementing the coding as an analytical tool.Coding was initially sorting based (Tjora 2018), pertaining to the MSA but also topics raised in the interviews.The analytical process consisted of coding, analysing, and refining key codes, comparing with, and refining the analytical framework, revisiting the data (refine coding, compare data, memos) and collection of new data (additional interviews), as well as sensitising the analysis through engagement with literature.
The present author has a background of nearly 20 years in the civil service, see Supplementary material for elaborations.
From a minor detail to a popular standard: the establishment of a standard for security-risk assessment Phase 1: the development of a guideline on terrorism protection The first phase of the process took place within government, when the Norwegian Police Security Agency (PST), the National Police Directorate (POD), and the Norwegian National Security Agency (NSM) developed a guideline on terrorism protection.NSM originated from the military, but all three agencies were hierarchically under the jurisdiction of the Ministry of Justice and Public Security (hereafter the Ministry).
In the aftermath of 9/11, two classified guidelines on terrorism protection were produced, one by NSM and one by the police.The Ministry saw two guidelines on the same topic as not communicating a unified, coherent message from the government and gave the three agencies an assignment to publish one guideline together. 9OD disagreed to the assignment.10After some dispute, stalemate, and attempts to rephrase the assignment, the Ministry insisted on the original goal of a unified guideline.11By May 2008, a common draft guideline had been completed, needing only formal sign-off by the three agencies.At this time, a new employee entered a key position in PST, proposing that the guideline should present risk management and -assessment as a suitable tool in terrorism protection.Proposing a change at this point was controversial.A draft had been finished, the deadline was overdue, and it had been more difficult and time-consuming than anticipated.The new employee argued for his/her approach and got the support of PST and NSM.12Both agencies became convinced that introducing risk management would offer better guidance on terrorism protection.
POD objected, wanting to finalise the existing draft. 13It also rejected a new draft guideline from PST and NSM and once again proposed two guidelines to the Ministry.The Ministry once again rejected this, insisting on the need for one, unified guideline.A bargaining process between representatives of the three agencies resulted in a finalised guideline in 2010 (NSM et al. 2010).It stated that terrorism protection planning should be conducted using risk management andassessment, in line with the new employee's proposal.
Utilising the MSA, the problem stream clearly defined the Ministry's perspective in its insistence that a single, unified guideline should be produced.The Ministry did not get involved in policy questions, and it had only one thing on the agenda: a unified message by the government on terrorism protection.When the Ministry supported a rewriting of the draft to introduce risk management into the guideline, it supported the majority of agencies (2 against 1).
Kingdon states that changes in policy processes often occur through a change in key personnel (2014).This is the case here, when a new employee introduced the idea that terrorism protection should be conducted through risk assessment andmanagement.At this point, the policy stream was defining the course of events.The process was prolonged to incorporate a new policy solution.Attention to policy also brought the underlying problem somewhat to the fore, as it was argued that planning through risk management was the better solution to protect against terrorism.The problem and policy streams were empirically linked, as is often the case (Winkel and Leipold 2016).
Initially, the question of jurisdictional boundaries was key to the process.Should a policy (guideline) from different agencies (the police/the military) be coordinated?This is the civil service version of the political stream, about battles over turf (Kingdon 2014).Although the policy stream changed the course of events when the new employee argued for a different policy, the political stream was the defining logic most of the time, both before and after.Little substantive policy discussion, stalemates, and attempts to rephrase the terms of the assignment indicate that the process was mostly shaped by the question of who gets it their way, that is, who decides.The battle was so fierce that it was sarcastically referred to by some as "the suicide project".The reason the process resulted in a policy was, we may conclude, the clear hierarchical structure and the single veto-power, the Ministry.
The new employee, and eventually more people, worked actively, persistently, and with a willingness to "fight it through" to get a guideline with their preferred policy.They did not put the guideline itself on the agenda, but they put risk assessment/management on the agenda within the framework of the guideline.Put together, their actions were much in line with the MSA concept of PEs.Table 3 sums up the first phase.
Phase 2: standardisation of the risk assessment approach Independently of the process described above, an initiative was taken by SN to identify the need for standards for crime protection within the building and construction sector, and the relevant committee (SNC 296) initiated a working group (WG).The key PEs who developed the risk assessment approach in the terrorism guideline got involved in the working group.
The movement to SN radically changed the institutional context of the process.First, it was no longer under the jurisdiction of the government, although some of the key actors were civil servants.Unlike in governmental processes, however, their position was not privileged as the consensus requirement meant that all participants had veto-power.Second, all the actors were new, except for the PEs who had taken the initiative to standardise the approach.The people involved now primarily came from the building and construction sector and physical security.Finally, the claim to authority changed; the source was not governmental but linked to the authority of SSO standards.
The SNC 296 committee had originally envisioned standards on physical security, but a PE took an initiative to change priorities: I saw this as my golden opportunity, because I : : : was convinced, that my approach was better than what had been there before.How do I spread this?That has a lot to do with being in a position of power.In [agency X] I was in a position of power, you are the organization.Whether true or not, people think a person coming from [X] knows a lot about security, just because they come from that organization.And then I thought, let's make this more universal.So I pushed for making standards, but not the ones they [the SN board] wanted.They wanted to make standards on buildings and technical matters : : : I was a bit smart and saw an opportunity and said, 'let's make a standard on terminology and one on [risk assessment] method.
The interviewee refers to him/herself as an active shaper of the process ("I was a bit smart") but also of an opportunity that opened up ("my golden opportunity"), in line with the MSA concept of a policy window.
The need for standards on risk management within a security framework was a new idea in need of acceptance.The WG and the SN committee got convinced about the advantages of risk management standards and changed their priorities accordingly.A series of standards on security-risk management was proposed (NS 583X-series).The policy stream thus played a key role initially.
The policy proposal was tightly linked to a new problem description.The problem was now framed as a lack of foundational professional standards tailormade to the field of protective security (intentional, malicious acts), contrasted to the field of safety (accidents, natural disasters) (SNC 296, Crime Protection Working Group 2009).One of the standards initiated was on risk assessment for security.A draft standard was developed, building on the risk assessment approach presented in the guideline on terrorism protection previously agreed on by NSM, PST, and POD (phase 1).The approach to risk differed from traditional approaches to risk, as described in the introduction.
When the draft standard was finished, a new person from a key governmental organisation working with safety joined the 296 committee.This new member, supported by his/her organisation, disagreed with the draft standard, arguing that it was unfortunate that a risk assessment standard defined risk differently than established risk standards (ISO 2018;Standards Norway 2008).
The proponents of the approach did not alter their position, however.The key argument for producing the standard was exactly to customise the understanding of risk to the field of security.Those arguing in favour of the draft standard were frustrated that someone outside the field of security wanted to stop what they regarded as a professional development of the field.
A key requirement by SN is that new standards should be consistent with existing national and international (CEN, ISO) standards.Consensus within the committee was also required.Both were lacking, so SN stopped the process, entering a period of stalemate.
To find a solution, those in favour of the draft standard proposed a conceptual change.The standard should not be one on risk assessment (for security) but on security-risk assessment, with the difference being between risk and security-risk.Everyone accepted this solution as a compromise.The approach could no longer be confused with other risk assessment standards.A new concept (security-risk) and a new practice (security-risk assessment) were established.SN's two concerns, consensus and consistency, were no longer a barrier, and the standard NS 5832 was published (Standards Norway 2014).
The solution was, arguably, a political solution, not a question of policy.Although there were some attempts to discuss substance when the new committee member entered the process, there was not much policy discussion, and the process soon went into a stalemate.It was a question of who would "win", with the politics stream as the defining logic.This made the decision-making process dependent on the rules and regulations of standardisation.Since standards are based on consensus, and all participants have veto-power, opposition from one party sufficed, easily creating a stalemate.When the concept security-risk was introduced, the purpose was to get around this stalemate through creating two professional domains: security-risk assessment and risk assessment.
Requirements for coherence and consensus are strong institutional barriers imposed on the standardisation process.We argue that they did not work as such in this case.Instead, they became incentives for creating a differentiation between two types of risk, representing an institutional restructuring between two professional "turfs" on which to professionalise.See discussion below.
Finally, we need to look at the role of human agency in the second phase.The PEs who moved the policy to SN were active in both identifying the policy window and initiating a change of what should be standardised.They convinced key people of their perspective, enlarging the group who worked in favour of the standard.They did not give in to requirements to comply with established NS and ISO standards on risk or objections from established risk assessment milieus through the new committee member.They also presented a creative solution to solve the problem of the stalemate.We may conclude that proponents of the new standard took the role of PEs as described in the MSA also within the second phase of the process.
As in the first phase, change of personnel played a decisive role.First when the PEs influenced the type of standards that were made a priority, but also when the new committee member acted as an antithesis to a PE, saying stop.Table 4 sums up the second phase.
Phase 3: after standardisationthe nonevent We have worked : : : in accordance with the recommendations from the National Security Agency, by using the approach from the Norwegian Standard 5832.
Chief Police Officer Odd Reidar Humlegård, Open Hearing regarding the Office of the Audit General of Norway's report on protective security measures (The Norwegian Storting 2018).
As the quote above indicates, the new standard (NS 5832) became, in some areas, a point of reference for professional conduct within protective security work.It was one of SN's best-selling standards, according to interviewees.14NSM recommended the standard in guidelines (2015, 2016a), using it as a basis for its risk assessments (2016b).The police and other government authorities also used it as a professional basis (such as The Norwegian Coastal Administration 2018; PST 2022).Risk assessments of the physical security of Ministries were conducted based on the approach (Busmundrud et al. 2015).
Primarily after the standardisation, risk scholars and practitioners started debating the standard and its risk assessment approach.The Norwegian Defence Estates Agency (FB) commissioned a report from the Norwegian Defence Research Establishment (FFI) to compare the two approaches (SN 5814 and SN 5832).The report found weaknesses in both standards, but it especially criticised the lack of probability/likelihood as part of the expression of risk in the NS 5832 standard (Busmundrud et al. 2015).The report demonstrated some fierce disagreement, with one interviewee describing the controversy as "almost like a religious war" (2015,45).
As part of the dissemination of the report, FFI organised a conference (FFI 2015).

One participant reflected on the sudden engagement:
There was little interest until it was published.Then something happened.Interesting.No-one wanted to participate in the [standardization] work, no-one cared during the hearing.But when it was published : : : many people loved it.Finally!Most people.But there were also some who disagreed : : : .I think there were great discussions : : : that brings the profession forward.It was a lot worse when we just sat there and no-one cared.There were 200 people at, and a waiting list for, a [FFI] conference on risk assessment : : : In the SN committee, there were 8 people, maybe 4 showed up.Whoever wants to can show up at these committees.Suddenly, afterwards, 30 people showed up.Then they chose to show up.Now they wanted to participate.
The interviewee contrasts the process during the standardisation, with few people engaged with the situation afterwards with a lot of interest.Although the quote expresses enthusiasm for the attention from a wider audience, the debate mostly took place within each separate professional community.The academic risk assessment community wrote academically on risk assessment approaches for security threats (i.e.Maal et al. 2016;Askeland et al. 2017;Jore 2019); security professionals mainly worked practically with security, as consultants and within government, and did not engage with the academic-or traditional risk-assessment community.The standard was disseminated through courses and practical security-risk assessment work.
The third phase represents a puzzle.Why did a policy debate emerge after the standardisation?In the first two phases few, if any, people with a knowledge background from traditional risk assessment were involved in the process, except for the new member of the standardisation committee.After the standardisation, a broader risk assessment community came to regard it as relevant to their professional domain and became involved.
Why did they bother?Standards are voluntary and could, we may assume, just be ignored.The dilemma is that standards are also important.When the approach was published as a Norwegian Standard, it was sanctioned as good practice and as "expert knowledge stored in the form of rules" (Jacobsen 2000, 41): A completely different weight is gained when you can refer to a : : : standard.That is beyond doubt.Referring to our guideline compared to a standard would probably mean a whole lot for people in charge : : : If I had been in charge, I would have felt more confident that it was "best practice", that this is something you can trust and base your decisions on.A [government] guideline does not have the same weight, of course.When you can refer to a wider professional group, that has agreed on a standard, that gives it a completely different weight.
The interviewee, coming from a governmental agency, sees standards as communicating quality and best practice to a much greater extent than government guidelines.As the chief police officer's quote at the beginning of this section illustrates, following standards communicates professional conduct.All the interviewees asked about standards see them as trusted to be good practice, although a few questions if this is really the case.Standards seem to convey neutral, apolitical, professional best practices, communicating "pure policy", not linked to any organisation with (narrow) interests and political agendas.
The risk assessment professionals that started to raise questions after the standard came out got involved, we may thus argue, because when the security-risk approach became a standard, the "bar was raised".It was no longer a policy idea floating around, it was not "just" a governmental guideline; the authority of the standardisation institute had sanctioned it as a sound, professional risk assessment approach.
One interviewee commented that some people felt like they had "been asleep at their desks", suddenly getting involved after the standard was published.There is no obligation to participate in standardisation, though.Standardisation is timeconsuming, voluntary work.The flat decision-making structure does not privilege any position, making the reward and outcome from participation uncertain.The dilemma is that standards are "innocent" (voluntary, consensual) while potent (sanctioning good practice).
The standard drew criticism not only from the risk or safety community but also from security professionals, such as from FFI and FB (Busmundrud et al. 2015;FFI 2015).Given that standards are supposed to be based on broad consensus, why was the standard not reassessed within the framework of SN?If the legitimacy of standards builds on the premise of broad consensus, then consensus in a "narrow" group should not be enough?
There are two reasons for the standard not being reassessed, we argue.First, many security professionals were positive towards the standard.Since standards are voluntary and a marked product once it is produced, one can buy it or not.If standards are supposed to convey consensus and good practice, a marked demand is, however, not enough.The second reason for SN not reassessing the standard amid criticism may be found in SN's role as mere process facilitator, a "neutral link between involved parties" (Standards Norway n.d.).All professional judgement is outsourced to committees and working groups.No-one mobilised SN or the SN committee; that is, activated the political stream.SN thus did not relate to the policy concerns that had arisen regarding its own standard.
A few incremental changes did occur, however.NSM, the key government agency within protective security, eventually stopped promoting the standard as the (only) preferred one and was no longer represented on the NS 296 committee.Regarding the standard itself, nothing substantial happened, and the debate faded.The process was no longer a process.
Viewed through the MSA lens, the main active stream in the third phase was the policy stream.The policy question that had not previously been debated at any length, the quality of the risk assessment approach, now drew attention.The policy discussion was to some extent linked to the problem stream, in the sense that concerns were raised as to potential unfortunate consequences of two risk assessment standards, such as creating a need for two separate professional milieus in organisations.The standard was thus discussed both as policy and as a potential problem.Table 5 sums up the last phase.

Educational background and knowledge
Lastly, we turn to knowledge background, part of the analytical framework that has so far not been systematically discussed.This is best observed across phases.In all the phases, the established knowledge base was challenged by new people with new perspectives.In the first phase, a knowledge base from public administration within the police/the military was challenged by the introduction of risk management.In the second phase, the building and construction knowledge base in the committee was challenged, first by the PE who introduced risk management and then by the new committee member whose knowledge background was from traditional risk assessment.In the third phase, the key knowledge base came from the risk assessment community and safety backgrounds (academics, public administration) but also from security (FFI, FB).At least partly, these perspectives had a stronger link to academia, and practically oriented security professionals mostly did not participate in their debates.
The mismatch in the different phases between the knowledge backgrounds of the establishment and the challengers meant that new people could formulate perspectives the "old" knowledge base had a weak basis for dealing with.We may counterfactually argue that this resulted in an "easier match" for the PEs than if the established knowledge base had been familiar with risk assessment in the two first phases.It might also explain why the process moved so quickly from policy to politics in the two first phases.Instead of further investigating policy options, something that needs ideas, concepts, and vocabularies to discuss with, the process moved into stalemates and thus "politics".
Utilising Carstensen and Schmidt, we may conclude that in the two first phases it was power through ideas, "the capacity of actors to persuade other actors" (2016,318), in the last phase it was "power in ideas", when a hegemony decided on which ideas were considered in the SN committee (2016).Put differently, "[p]ast policies empower some groups over others" (Bolukbasi and Yıldırım 2022, 12).
Summing up the three phases, in the end, it is simply one dimension which makes this case into a separate process, into one case.This is the policy proposal (the risk assessment approach), "travelling" through all the phases.Additionally, the people who moved the proposal from the first to the second phase, the PEs, are essential in it being a process.Different formal institutional arrangements, new people, and new knowledge bases in each phase make for a fractured process, see Table 6.

Discussion and conclusion
In the following, this article zooms in on SSO standardisation and how it creates ambiguities and links it to the case in question.A brief discussion of the usefulness of the MSA framework follows before concluding remarks.
Before zooming in on the SSO standardisation, however, a short discussion of the first, governmental phase, is called for.We noted above that there was little policy debate in the first phase, and different approaches to risk assessment were not investigated or elaborated upon.This shortcoming of the first phase spilled over to the second phase, as the only approach considered initially in the second phase was the risk assessment approach from the first phase.One could thus argue that the problem in phase 2 lies in phase 1.Although there is some merit to this argument, SSO standardisation builds on producing quality standards independent of government.The SSO standardisation process should thus withstand scrutiny, independent of the previous, governmental phase.

Standardisation: an ambiguous institutional arrangement
The two last phases were shaped by the standardisation institute, and we have pointed out ambiguous characteristics of standardisation as they have unfolded during the case.We noted that standards are "innocent" (voluntary, consensual)  The role of government in standardisation is also ambiguous.On the one hand, standards are sometimes government policy, as people from the government participate in standardisation, influencing the content of standards.Standards are also a normative and professional basis for governmental conduct (Olsen 2020).Public authority "plays an important role in legitimizing the genesis of standards" (Botzem and Dobusch 2012, 739;Gustafsson and Tamm Hallström 2018).On the other hand, government members do not have a privileged position in framing the standards, and the government is not responsible.Standards and standardisation are, and are not, government policy.This can be seen in the case under scrutiny.Actors from government moved in and out of the committee.More illuminating is how NSM changed from promoting the standard to merely presenting it as one possibility.Since NSM was not responsible, it did not have to work out a new policy, and it could simply change how it referred to the standard.Standardisation gives government organisations flexibility and room for manoeuvring.
Responsibility for standards is also ambiguous.Formally speaking, a standard is issued by SN.The claim to authority, and the de facto responsibility for the content of the standard, lies, however, in the committee.Committee membership is voluntary work.Members come and go, they are not responsible in a more fundamental way for the quality and impact of standards. 15In the case at hand, when the standard was criticised from a wider professional community, no one representing SN or the relevant committee felt responsible for going into the policy discourse.The standardisation thus led to a decoupling of policy and politics, leading to stream independence.
Hajer describes a situation in much policymaking today of an institutional void, where actors negotiate and conceptualise rules and boundaries during policymaking (Hajer 2003;Leong 2017).The potential risk of SSO standardisation might be better described as creating an institutional deficit.SSOs produce policy in a governmentlike institution, but the SSO is not structured such that it takes responsibility for policies in a government-like way.There may become a mismatch between what has been produced (standards) and the means to govern what has been produced (shifting, voluntary committee members).Responsibility may become diluted (Brunsson 2000), and it becomes unclear who governs (Gustafsson and Tamm Hallström 2018).This deficit may not occur in a single standardisation process.
Over time, however, the constant evolving membership of committees (Wiegmann et al. 2022), and SSOs as mere process facilitators, may create an institutional deficit.
The small body of literature using the MSA on standardisation by SSOs points in similar directions of institutional deficits.Rashid and Simpson (2019) conclude that SSOs have assumed a public policy-making role in wireless communication but have failed to fill this role.Tang et al. point to how SSOs have created "a plethora of rules and procedures" (2019, 502) in the international trade system, but where there is a "general lack of a centralized authority responsible for developing a consistent policy in the regulatory sphere" (2019, 514).Harcourt et al. note a spillover tendency into SSOs in international internet governance (2020).Actors are attracted to SSOs, they argue, because decision-making is seen as more efficient, but also because it changes who coordinates, filters type of influence and resources available.They all describe SSOs as institutions that offer government-like regulation, but where responsibility is diluted.
Utilising the comparison between the governmental (phase 1) and the SSO (phase 2) policymaking, we may observe a difference in how "firm" the formal institutions stood amid disagreement.When the process took place within government, the hierarchical structure and single veto-power resulted in a decision, creating "winners" and "losers".The rules of the formal system structured the policymaking.During the standardisation, on the other hand, the solution to the disagreement created an institutional restructuring.The success of the PEs in the second phase was, arguably, linked to the process being manoeuvred into something it was officially not.The norms of standardisation state that a broad group of experts create policy through consensus.This was reversed, in that the policy field was split in two so that the group who needed to agree were narrowed down to those who agreed on policy.The possibility to manoeuvre around the formal barriers thus became an important reason for the establishment of the standard.Rules and boundaries were negotiated during policymaking (Hajer 2003).One can argue that, contrary to the governmental phase, the SSO institution in this case did not only structure policymaking, the policymaking structured the institution.
Utilising the MSA on a least likely Norwegian case We have introduced, and further developed, the MSA to investigate a policy process very different from the theory's origin.The study is exploratory, utilising an abductive approach, and it thus does not test the theory.A discussion of the "situational fit" (Timmermans and Tavory 2012) between the adjusted MSA and the case is, however, called for.
Although the case lacks key characteristics of most MSA studies, we find many MSA assumptions and concepts useful when investigating the case.One such premise is stream independence.Empirically, we note that stream independence was often not the case, such as the movement from the policy stream to politics when agreement on policy was not accomplished.The case also shows examples of empirical stream independence.Most notably in the third phase, when the policy stream was active, but where the potential political stream was not activated.Seeing stream independence as an analytical, not empirical, assumption makes the premise of stream independence useful, we argue.It makes it possible to investigate how the different parts of the policy process unfold, where the relationships between problems, policies, and politics are investigated, not assumed (Herweg et al. 2018).
Kingdon describes two ways governmental actors influence processes: through turnover of key personnel and "turf" (2014).This fits the case well.New people decisively influenced the process, as described above.The same is the case with "turf", both the objection to a coordinated terror guideline in phase 1 and the differentiation between two types of risk have to do with boundaries or "turfs".The key MSA assumption that policymaking depends on active coupling by PEs is also supported by the study.
The case is investigated through a comparison between phases.The movement and manoeuvring from one phase to the next, the "venue shopping" (Ackrill et al. 2013) are, however, also important.To grasp policymaking today, we may need to see processes as part of larger structures of polycentric governance (Berardo and Lubell 2016) or governing regimes (Gustafsson 2020), where private and public governance interact.The MSA fits polycentric governance well, with the theory's independence of organisational boundaries, the premise of ambiguity and temporal sorting, analytical stream independence, and PEs ability to conduct venue shopping.
The many calls to incorporate institutional characteristics into the MSA framework are supported by the study.PEs are important; they may seize the moment, but they act within institutional structures paramount to the outcome.
All in all, the MSA enables a sensitivity to the coincidental, to simultaneity and timing (Christensen et al. 2018), but also to the strategic and opportunistic act of coupling the streams (Greer 2015).The study suggests that also small policy processes consist of different streams, here seen as logics, that need to be coupled in ripe policy windows by PEs.We may conclude that in a least likely case like the one in question, given some adjustments, the MSA sensitises the analysis in meaningful ways.

Concluding remarks
This article asked how we can account for the establishment of the standard and the role of institutional context in this regard.In the first phase, the risk assessment approach was institutionalised, we may conclude, because a new employee introduced it, and the Ministry utilised its single veto-power.This article notes the many ambiguities of SSO standardisation and how it creates possibilities for manoeuvring.In the second phase, key to the establishment of the standard was the introduction of a new concept (security-risk), circumventing policy disagreement, thereby creating an institutional differentiation between two professional "turfs".Strong institutional barriers in theory did thus not work as such in practice.We argue that the differentiation between responsibility for process (SN) and content (committee) makes the standardisation process vulnerable to stream detachment.In the third phase, SN (potential political stream) did not relate to criticism of its own standard (policy stream).Building also on other SSO research, we raise a concern for a potential "institutional deficit", a potential mismatch between SSOs producing policies, but where the SSO is not structured such that it manages to take de facto responsibility for these policies.
The public policy literature is diverse but mainly centred on government processes.As this case indicates, we should not take the public/private distinction for granted, since it "has de facto become a boundary within a political order" (Frankel and Højbjerg 2007, 96, italics in original).The journey into a Norwegian standardisation process shows that the process stream perspective can shed light on some key characteristics of standardisation by SSOs.Importantly, we do not know if the case investigated represents a typical SSO process, an extreme one, or something in-between.Conclusions have been drawn in part pertaining to the case itself, in part analytically.Further research on SSO standardisation from a policy process perspective is called for, as it has become a global and highly influential phenomenon.
Supplementary material.To view supplementary material for this article, please visit https://doi.org/10.1017/S0143814X23000223

Table 6 .
Overview of the three phases, institutional dimensions, and the MSA

Table 6 .
(Rasche and Seid 2019)sly activated and potent (sanctioning good practice) simultaneously.Standards from SSOs are also ambiguous in another sense: They are framed as making the world better and more efficient, a reason for time-consuming voluntary work.SSO standardisation is also legitimised as being good for business (Jacobsson and Brunsson 2000; Menonpublication 2018), implying interest-based reasons for participating in standard development.When a standard is finished, it becomes a marked product sold by SSOs(Rasche and Seid 2019).In this case, key actors started working in private sector as consultants, and the standard became a product that could be utilised in consultancy practice.Standards are, in other words, both common goods and business opportunities.