Doing Safety … and then Security: Mixing Operational Challenges—Preparing to Be Surprised

Demands for organizational safety and security continue to increase. With incommensurable, legitimate operational requirements, tensions are to be expected. Variations in the sources of tensions are explored along with potential informal modes of accommodation. Analytical thought experiments are proposed. Prepare for surprise.


Introduction
Over the past decade, public insistence on both safety and security processes has increased even as primary expectations continue to insist on reliable operational or mission activities. Joining these capacities involve activities that are often difficult to integrate. What organizational design and operational puzzles arise when "safety in operation", and then "security from external threat" are demanded from organizations and public institutions as their core technologies grow in scale and complexity? This essay explores potential implications, sets a framework for empirical examination, and ends with injunctions for executive and key operational actors. 1

Framing Assumptions and Orienting Questions
Safety and security functions seek to assure conditions which avoid a wide array of debilitating, potential lethal events (i.e., assuring non-events). Some are associated with internal, involuntarily conditions and behaviors (safety); others with intentional acts by external adversarial actors intent on destruction (security). Safetyrelated functions will be activated more frequently at lower levels of intensity than most security-related ones. These will be infrequent, usually with relatively intense activity. In either case, rapid response readiness will be prized. Since all operational environments harbor persistent, irreducible ambiguity and intrinsic hazard, there will be operational surprises and "breaches in security." Analysts and designers should expect that safety and security assuring dynamics and cultures are sufficiently distinct as inevitably to produce legitimate, continuously overlapping, sometimes reinforcing, sometimes incommensurable skills and practices. Operational leaders should expect, at least informal, accommodations between representatives of safety units and security units to limit tensions and conflict. The resulting tensions are likely to be exacerbated when contemporary measures of efficiency are incorporated into the criteria of effectiveness. 2 Operational dynamics may well become unstable and policy responses dysfunctional.
What analytical questions become salient when there are vigorous public demands to greatly improve and integrate safety and security processes with key operational functions? Consider the following: To what degree do Safety/Security/reliable Operations re-enforce each other; conversely, impede each other sufficiently to prompt tension and conflict? Explicate in terms of the interacting dynamics between each functional pair. As the potential for Safety ↔ Security tensions increase, what organizational policies and practices limit-exacerbate existing operational dysfunctions? To what degree do tensions vary as a function of different types of institutional quality assuring constraints associated with (Safety, Security, Operational) activities carried out in the relevant agency domains? To what degree do tensions vary as a function of different types of national regulatory patterns? What processes of anticipating, managing, and engaging potentially dysfunctional dynamics are practiced? Under what conditions are they employed? What are the dynamics and consequences of relative budget decline?
These are demanding questions-derived from suggestive conceptual speculation, analytical hunches, and in-depth observers' experience. "Thick descriptions" in the answer are meager. Crisp analytical work has yet to be done. Considerable qualitative observational fieldwork is imperative…and extraordinarily demanding. Where to allocate scarce research resources? What follows is a kind of prospective guide for adventurous empirical observers.

Imagine a Thought Experiment
Start with a "what's it like to be there" thought experiment. The intent is to frame intuitive, conceptually informed imagining; to suggest research in a "what to know next" spirit; and to set the stage for generating hypotheses and studies in more formal, analytical discourse (informed by LaPorte [2,3]).
What is it like to be centrally involved with enacting safety or security functions in a very reliably performing large public or manufacturing organization? Pick your favorite ones-ones that have been in copasetic harmony, now with tensions rising. Identify situations where-when safety and security functions are each done effectively-they overlap and then threaten to negate each other. Imagine organizational norms and practices mixing in ways that could prompt contradictory suites of skills and interacting episodes. How are these contradictions recognized? What conditions make it difficult to avoid them?
What (national) institutional conditions enable operators, citizens, and social leaders to "prepare to be surprised" … "to be unprepared"? To what degree do these conditions limit the likelihood of institutional resilience in the face of serious shortfalls in social safety, in national security?

A. Initial Bearings
Take the vantage of operators, members of the teams that enact varying task requirements and assure effective network experiences within large-scale organizations. Locate groups that have confidently bounded the tensions intrinsic to integrating the different intensities of safety and security regimes-under the eyes of wary regulators/overseers. How might the operators' views of such situations be framed?
Responses hinge, in part, on the tacit and explicit functions, tasks and social structures clustered under the primary orienting concepts-safety, security, operations, and, in part, on the activities carried on, in the field, by those actors who have been assigned safety or security missions. Who think that's what they're doing.
In examining these situations, assume the following bounding expectations or situations. You can expect widely varying operational settings. Situation 1. Most agencies operate where safety activities and security (watchfulness) functions predominantly complement each other in daily interaction. Requisite activities are modest and within reinforced, de-conflicting tolerances-many in the satisficing zone for safety/security management demands.
Situation 2. Intra-operational "Safety-Security" anxieties vary in response to the degree of perceived external demand for increases in safety and/or security measures for different arenas of operations.

B. Operative Assumptions
Current technical and environmental changes will continually increase the relatively hazardous nature of operations such that both increased densities of Safety and Security regimes will be demanded.
Policy demands almost never call for overt reduction in Safety or Security capacity once these have been established. "Hazard potential" and "environmental vulnerability" will change in one direction-greater relative internal hazard and increased external vulnerability.
Situation 3. Each Operational domain's technical core and action dynamics are associated with functionally well-vetted skill-authority relations, both intra-and interorganization. These are carried out by enacting teams, ranging from those evincing no overlap in Operational, and Safety or Security personnel, i.e., stove piped silos, to teams where the same members carry out all three functions sorted out in different, fully integrated, networked arrangements. These include recognized action options and nested authority configurations.
Situation 4. Path dependence effects are determinant. Each setting is shaped temporally by "Who got there first" relationships where those who establish initial operational dynamics of prime importance set the stage of second-comers' experience. Thence, organizational responses to policymakers' demands for integrating Saf and Sec functions are shaped predominantly by which functions-Safety or Securitywere established first. In consequence, Safety ↔ Security tensions, if they emerge, are likely to take on different manifestations depending on the establishing (Saf or Sec) sequence.

Imagining Safety-Security Interactions and Outcomes
Now, within the context of these expectations, (to be verified in the field), take on an experimenter/observer role in exploring the behavioral dynamics likely to emerge following insistent demands for the integration of both safety and security regimens. As each condition noted in Table 8.1 below is considered analytically, imagine the effects on operators' and mid-level managers' daily network dynamics of established Operational regimes. Each varies or shapes operators' experiences as they enact the technical requirements for Safety and/or Security missions. What behaviors could be an observer's targets for attention?
First, what are the salient skills and experiences needed to assure smooth, effective responses in the domains you usually engage? Second, what reactions are likely were new Safety or Security changes to be demanded by political overseers and/or regulators?
Condition 1. Variations in the operating conditions (V1) and potential operational changes implied by and concurrent with increased policy demands for Saf/Sec integration (V2). An optimum initial state would be one in which (i) Safety and (ii) Security capabilities are seen as fully established and satisfactorily in place at expected hazard levels (i.e., "all is well", whatever the level of expected capacities). But situations vary and demands for improvement can escalate, requiring that Saf or Sec regimes intensify and become fully integrated. Such changes in policy insistence can dramatically affect the experiences and interactions of operators with middle management, and these changes can upset existing operational equilibria. Imagine a study sample that could inform these variations (see Fig. 8.1 for US examples). Cell I-[Hi/Hi] Security and Safety both fully established and sustained. This is a rare combination-internal hazards and threats to systems are believed to be considerable and harbor potential for tactical/strategic attack, therefore, elevated contingency. E.g., Nuclear aircraft carriers and nuclear-powered electricity production. Key question: What happens when sustaining resources are overwhelmed?
Cell II-[Hi/Lo] Ops, Safety well established, say, in civilian agencies, that come to face rising hostility and threat, with subsequent demands to "ramp up" Security capability. E.g., NASA, aviation, transport. Key Question: Are established Safety groups allowed flexibility to accommodate and remain effective? Are their resources diverted to Security functions?
Cell III-[Lo/Hi] Security well established, say, quasi or fully military agencies, become pressed to reduce injuries and internally caused facilities' damage with ramped up Safety systems. E.g., US Weapons labs, formerly carriers, some intelligence services, and local police forces. Key question: Can security group operations complement safety newcomers?
Cell IV-[Lo/Lo] Both Safety and Security need increased operational capability. Organization in deep hole-history of injury, and damage to neighborhood and now facing hostile actions from groups close-in, i.e., under duress. In the past, limited need, tacit public expectation for all public institutions-due to limited external threat-and perceived limited internal hazardous context (save external fire, weather, earthquake-non-human threat). E.g., NASA; NOAA academic/analytical organizations. Key question: To what degree do leaders appreciate the steep increase of resource likely to be implied by public demands?
Analytical Challenge: Think of circumstances that exhibit these variations. Based on whatever conceptions of organizational dynamics you favor, predict several highly likely resolutions to the tensions that you have conjured. Now, two central analytical questions: Given the analytical basis for your predictions, how straightforwardly were you able to call out dynamics that could be sought in field observation? Where are the analytical shortfalls, if at all?
Other operational contexts with different, more detailed levels of safety or security activities associated are likely. This suggests the second of the several shaping conditions noted above.

Condition 2.
Coping with escalating hazards and threats. As intrinsic hazards and external vulnerabilities increase, we are likely to witness a series of layered, increasingly stringent, and militant operational responses to demands for integrated Saf and Sec capacities. These unfold as a function of increasing internal hazards and escalating external threat. Additional safety and security functions are levied within and on top of increased technical training and skill imperatives needed to enact core technologies and infrastructures. These additions vary from local, on-site safety preparedness programs to high alert, whole system protection from external attack. Schematic Fig. 8.2 indicates some examples of (i) increasingly demanding hazards-from workplace to organization-wide risk responses (emphasizing "safety first"), and (ii) external security-evoking threats (and security priorities).
The specific safety hazards and security threats are evident in a number of modern organizations both public and private. Responses to them also amplify several central management challenges noted in the Figure. All of these items were evident in the operation of large nuclear weapons facilities. The reader will likely know of other hazardous/threatened settings that have introduced other forms/layers of response … capacities and behaviors, by and large, invisible to most institutional observers. The phenomena are worthy of careful qualitative description.
Two additional conditions also shape operator experience and challenge managerial wisdom. These should be integrated into any serious field study. 3 Analytical readers will see how the patterns above could be applied here as well.

Condition 3. Variations in relative social scale.
The greater the social scale, the more complex, differentiated, and interactive/interdependent the organization and the more likely the emergence of triply nested-ops., saf., and sec.-authority patterns and latent resistance networks. We expect that when Operations are massive/highly complex, Safety is more diffuse, a moderate fraction of the whole, while Security is relatively limited, in the shadows (ready to emerge!).
Different operational steady states vary from Saf stable, limited regimes (with Sec mostly latent) to full integration of Saf and Sec regimes. Differences are evident in these brief examples: Education: Small Saf, Sec tiny. Air Traffic Con: Saf clear presence, Sec modest, latent ready to assume command. Aircraft Carriers: Saf modest, Sec modest, and lurking. Weapons Lab: Both Saf and Sec evident and fully manifest continually.

Condition 4. Variations in public expectation.
Organizations attempting to increase the integration of security and safety systems do so in the context of the public's understanding of and insistence on effective safety/security programs and their usual unwillingness to fund these developments. These vary widely from (a) limited experience, high expectation with reluctance to fund (Lo), to (b) clear recognition of risks and willingness to carry the costs with some forgiveness and tolerance for the struggle involved (HI). "Best cases" are rare and include our experience with nuclear power plants, national weapons labs, and submarine operations.

Amplified Complexity and Operational Switching Regimes
Thus far we have argued that institutional policy and technical developments persistently result in additional hazard-increasing functions (to be safely done), many accompanied by the increasing potential/costs of massive damage (at physical/psychological scale). In consequence, public and overseer demands intensify for both safety-and security-enhancing measures with the explicit expectations of effectively negating untoward events and hazard-prompted damage. These efforts are launched into operational domains already exhibiting extraordinary variety in (i) their established (entry) conditions; (ii) the range of emergent counter-threats; (iii) the heterogeneity of security response measures; and (iv) an array of operator-overseers demands and dynamics with considerable tension/incommensurable potential. These phenomena are quite variegated and analytical or empirical explication is relatively sparse.
There are likely to be patterns that have escaped, even attentive observers. An especially interesting one wants exploring-patterns whose subtlety and presence are likely to be overlooked without a relatively careful field study.
This is related to the first central analytical and management challenge posed at the outset: "Identify operational situations in which (Saf/Sec) functional overlapswhen done effectively-negate each other." 4 These are organizational maelstroms where norms and practices are mixed in ways that evoke contradictory suites of skills and interacting episodes. They confront operating teams and managers in niches of high tension and can be loci of unexpected modes of coping.
To put a sharper point on this, the piling up of well-performing safety and security augmenting functions and teams also comes with (requires) coordinating and regulatory assuring networks and personnel grafted on to or embedded in the existing operational community. In effect, social complexities are amplified in ways that often distort former relationships and harbor high "apraxic" potential [2]. This presents persistent challenges for operating personnel to evolve "on the ground" accommodations that reduce the destructive potential of intrinsically incommensurable activities.
Organizational skill groups exhibit dual or parallel Saf/Sec competences, each with potentially different operational rules. This situation could precipitate planned and practiced regimes shifting from (a) predominantly Saf processes to Sec ones, or from (b) predominantly Sec regimes to Saf emphases when conditions about which there is "high consensus" emerge.
There are persistent cases that demonstrate high consensus about conditions for shifting from safety to security privileging conditions, i.e., switching from Safetyassuring to Security-enhancing priorities. Tipping points are recognized by all operational and overseeing institutional/legal entities, thus smoothing the organizational grounds for actualizing operational changes.
Imagine what could be expected from operators and managers in the face of such dissonant potential? An Assumption and two Hypotheses.
Assumption: Due to increasingly heterogeneous hazardous operations across widely variegated service geographies, there is a growing range of different situations known to experienced on-site operators but beyond the knowledge capacity of most superordinate managers unless they have had direct, "close-to-hazards" operational experience in the relevant operational domains. Hypothesis 1: Operators and "close to hazards" managers, in efforts to limit confusion in the face of rapidly unfolding safety-or security-threatening situations, develop high-consensus rules of engagement and operational activities about shifting from one to the other processes. Each set has activities and triggers that do not reinforce those of the other. Hypothesis 2: "Switching" protocols from one set of priorities and procedures to the other activity are mainly the province of "close to hazard" working groups and supervisory management.
Managerial (and research) imperatives follow. As patterns of unfamiliar, risky situations and/or novel threats intensify, it increases the imperatives for senior leadership to (i) insist on the adoption of new skills, (ii) legitimate the capacity for switching internal emphasis (via facilitating personnel and team development and training); (iii) assure continued support from overseers for such dual capacities; and (iv) maintain/enhance public understanding and forbearance for respective needs.
At the same time, the conditions that produce the need to (i) intensify system safety, i.e., greatly reducing the experience of known hazards and (ii) fend off aggressive external attacks meant to cripple or destroy (i.e., assuring the absence of predatory suffering) also increase the operating social complexities beyond careful comprehension.
While deep knowledge limits some surprise, internal scale and increasing complexity guarantee it. And hostile external efforts at deception and seeking destructive advantage brook persistent, inevitable unpreparedness.
What if experiencing surprise and unpreparedness were to be expected, and experienced without blame and with some sympathy for those close to the hazard, what patterns could (perhaps should) become evident from analysts and leaders?

Preparing to Be (Legitimately) Surprised… to Be (Legitimately) Unprepared
An important emerging analytical challenge would (and should) be the development of credible skills, norms, and practices associated with "preparing to be surprised" during the deployment of measures expected to improve safety and/or security [3]. Surprises associated with each of these domains are likely to be systematically different. This a function of distinctive: (a) sources of relative hazard and technically/socially induced vulnerabilities and system complexities and (b) societal variations in public awareness/acceptance of surprises (forecasting incompleteness) and/or institutional unpreparedness, esp. in face of opponents' aggressiveness and their success in finding weaknesses and vulnerabilities. What overriding responsibilities and obligations for mission and institutional leaders would follow?
Capable senior leadership would facilitate (a) the evolution of wary trustworthiness and empathy for veteran safety and security first responders and stewards and (b) the emergence of institutional cultures according to high salience to forbearance and forgiveness as well as learning and blame-putting.
These would entail leadership obligations to Resist calls for "efficient" spare-ness-the thinning of watchfulness with the resulting increase in social apprehension-and to explicate/highlighting the continuing dilemmas associated with short-term impatience and political tendency to under-resource conditions of watchfulness needed by subsequent work generations. Assure organizational and public understanding of Saf/Sec stewardship roles and their fundamental contributions. Enhance a sense of honor and resources-beyond operational costs-for safety and security stewards. And remind us of our underlining dependence on those who, in effect, have signed up to take a bullet, suffer severe burns or serious injury on our behalf.
Afterword Insisting on enhanced operations of both safety and security functions across the critical organizations and institutions is increasingly likely and imperative. Responding to these imperatives-the ken of institutional leaders, senior managers, and, especially, experienced supervisory veterans-is already challenging organizations across a wide spectrum of social life. Those responsible take up the tasks often with little preparation and limited experience. Making rapid progress in understanding the conditions of both their copacetic joining and potentials for disabling dysfunctions, especially, the sources of intra-operational conflict is essential. Seeking these improvements becomes a major challenge for us-the community of analytically acute observers of organizational life. This essay touches on only some of the more obvious variations in organizational situations that will shape different outcomes. Reviewing the chapters of this book reveals something of the wider sweep of significant factors and the breadth of the challenges of knowing. We are still just a little beyond the starting line. A detailed sense of how these factors shape the outcomes and of the behavioral consequences awaits a significant increase in empirical acquaintance and rigorous fieldwork-often of the most demanding sort. It is also a work that is likely to be as intriguing and interesting as it is important.
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.