How deregulation can become overregulation: An empirical study into the growth of internal bureaucracy when governments take a step back

Over the past decades, government safety management regulation has been driven by deregulation, simplification and organization-level regimes of inspection. So-called functional rule-making requires organizations to implement safety management systems appropriate for their operations. The paradox that seems to have arisen is that overregulation is common in many organizations. Research has found over-proceduralization, safety clutter, bureaucratic overload, and procedures not at the service of safety. To explore the paradoxical relationship between governmental deregulatory measures and organizational overregulation, we analyze empirical data from Norwegian fish farming and coastal transport. The data confirms that practitioners experience a rapidly grown abundance of internal rules and protocols, ill-fitting procedures, and pervasive, exaggerated safety management. We trace three mechanisms that have driven internal overregulation: work auditability; managerial insecurity and liability; and audit practices. These mechanisms show how functional regulation can have unintended consequences when it meets other accountability expectations. Expectations of market doctrine, bureaucratic entrepreneurism and control can lead a company transforming simple governmental regulations into vastly overcomplicated safety management systems. We conclude our study with prescriptions of how this aspect of safety could be done differently.


Introduction
The call for doing 'safety differently' has arisen in no small part because of the trend of impractical and extensive safety management. In organizations, ill-fitting procedures and ever-expanding documentation are understood as a necessary and largely unavoidable evil that even might induce accidents (Størkersen et al., 2017). Safety researchers have diagnosed the organizations with over-proceduralization and safety clutter (Bieder and Bourrier, 2013;Rae et al., 2018).
Surprisingly, the organizations' jungles of procedures are not directly induced by the governmental regulations, because the related regulations are often quite simple, straightforward and practice-oriented. Safety management regulations are usually functional regulations, also called goal-based rules, stating that companies must have safety management systems which document risk analysis and hazardous work (Nilsen and Størkersen, 2018). Functional regulation is a deregulatory measure, giving the organizations the responsibility to implement systems that result in safe operations, while governments only are to verify that the organizations have implemented systems.
Contrary to the deregulatory intentions, the organizations implement rules, clutter and red tape that often not contribute to safety, and even continue to grow. Many organizations have tried to simplify their safety management systems, but still have ended up with at least as many procedures as before (Power, 1999). Indeed, Amalberti (2001) and Rae et al. (2018) have traced how it is easier to add than to remove rules; how new procedures hardly replace older ones but typically become part of a purely 'additive' system. In this article, we describe the organizations' condition as overregulation, since the internal regulation is detailed and overachieving on the limit to contradict its objectives. This is overregulation generated largely internal to the organization, not only imposed by governments (at least not in anywhere near that level of detail) (Saines et al., 2014).
Paradoxically then, deregulation seem to lead to overregulation. While much literature refers to this overregulation, few empirical studies go into the reasons behind it. There is limited knowledge about the relations and mechanisms between the governmental regulation and the overregulation in the organizations. Managers have been blamed to weave in factors like competition, different stakeholder interests, or profit (Christophersen, 2009;Lappalainen, 2016) or their own incompetence or liability anxieties (Hood, 2007). Some overregulation might relate to functional regulations' verification demands and audit traditions, which make organizations focus on auditability (Hood, 2007;Power, 1999;Størkersen, 2018).
In this paper, we explore the reasons for the overregulation, and discuss: Why is overregulation of safety management observed in the organizations when safety management is driven by deregulatory measures?
We analyze cases from Norwegian coastal cargo and fish farming industries. These two industries have in common that the main operations are in coastal waters, far from the central managers' office, and based on similar safety management regulations and traditions. Yet the two industries have different supervision authorities, organizational structures, profit, and traditions. They form a wide range of safety management practices, which make them interesting for a combined study.

Deregulation contributing to functional regulation
Regulation is about protecting employees and environment through decreasing some actors' discretionary space (Grote and Weichbrodt, 2013). Regulation has been called "potentially one of the most important defenses against organizational accidents" (Reason, 1997, p. 182). However, neither the public nor business-owners want expensive regulation (DeSombre, 2008;Johnson, 2014). There has been substantial political-economic pressure towards deregulation, which is believed to result in improved competition, cost-saving and reductions of bureaucracy. Therefore, governments aim to reduce, simplify, or remove regulations.
Instead of old-fashioned prescriptive rules that describe in detail what each organization must adhere to, governments now, in the spirit of deregulation, usually make functional rules. These are also called goal-based rules, where government place responsibility on the organization to "encourage duty holders to go beyond mere compliance with regulatory requirements" (Sampson et al., 2014, p. 684). Each organization must themselves work out how to achieve certain goals, create rules and systems that work for them. Then the systems' existence, functioning and performance are to be verified by the government. It has spurred organizations and their leaders to show that they have put into place all reasonably practicable measures to protect people from harm (Jacobs, 2007). The company management then makes sure that operational personnel feel the responsibility for safe operations, so managements cannot be blamed for accidents. Research has shown a "transfer of risk" under deregulation, workers are assigned ever more responsibility for their own safety at work: deregulation has pushed more of the self-regulatory effort onto the work floor (Gray, 2009;Schofield, 2005).
Although the functional regulation stem from a wish for de-bureaucratization and a slimming of organizational structures, it has actually led to a re-bureaucratization of organizational procedures (Røvik, 2007, p. 219). Despite the intentions, deregulation creates additional bureaucracy (Dekker, 2017(Dekker, , 2020. In this article, we wish to explore why this situation has occurred.

Functional regulation contributing to overregulation
Governments can employ functional regulation if an industry is accountable and takes its risks seriously (Dekker, 2012, p. 8). Accountability here means demonstrating the existence of measures to prevent harm. A firm's activities must be accounted for in an auditable, transparent, and therefore measurable way (Power, 1999(Power, , 2007. It reflects a bureaucratic belief in documentation and procedures as ways to control risks (Eisenstadt, 1959, p. 306). With paper trails, supervisors, inspectors and other stakeholders can ensure that rules are being followed without examining the actual work, only through audit of the documentation (Hood, 2007(Hood, , p. 1996. Regulators ensure organizations are audited to demonstrate accountability, which is accomplished with documentation and written procedures of all activities in an organization. Auditing in this case is about ensuring that systems have the ability to reach the goal in question. Auditing requires measurement and discipline, and it comes at the expense of trust, dialogue, and autonomy (Power, 1999). To audit accountability fairly, there is a need for measurable tasks-standardized, objectified, and quantifiable (Jensen and Winthereik, 2017). Rules standardize tasks, making work suitable for documentation and auditing (Hohnen and Hasle, 2011). That way, work is made legible (Scott, 1998). Legible work is necessary for a bureaucracy-any bureaucracy, internal or external-to summarize (read: oversimplify) aspects of a complex world of work so that it can actually supply itself with the data it needs to function. When an organization standardizes its tasks, they are documented and can be audited and compared with tasks in other organizations or industries. Standards also allow information to move easily between contexts (Almklov, 2008;Latour, 1987), since tasks are separated from personnel and organizations from tasks, as in Weber's initial values of bureaucracy. Standardization thus has drawbacks like the negative sides of bureaucracy and professional alienation (Amundsen and Kongsvik, 2016, pp. 138-141;Bieder and Bourrier, 2013).
The quality management and auditing industry favour written procedures for these reasons of transparency, and hence create major incentives for companies to write weighty procedure manuals but tend then to be blind to the gap with reality which a paperwork-based system audit does not pick up. (Hale and Borys, 2013a, p. 230) Back in the 1990s, Power (1994) described an audit explosion in Western society. A number of interlocking mechanisms have created the conditions for auditable risk management (Power, 2007, p. 153). Audits now appear as natural solutions to most problems, without questioning whether other measures might be better (Hohnen and Hasle, 2011). Jensen and Winthereik (2017) have studied how the notion of an 'audit society' has spread internally in organizations. The idea of audits has penetrated so deeply that it has changed the very nature of knowledge-creation (Jensen and Winthereik, 2017, p. 176). Auditing has become a way of thinking of and building knowledge. Auditing loops are "mutually shaping interactions between auditors and auditees that cross organizational barriers in multiple directions, both 'downstream' and 'upstream.'" (Jensen and Winthereik, 2017, p. 161). Audits construct the environments they operate in to make them more auditable, with failures simply calling for more auditing (Jensen and Winthereik, 2017, p. 177). Audits were supposed to be detached from core activities, following another set of rules than those activities, but the audit way of thinking is now embedded in our whole society, even in how we operate and create knowledge.

Safety management contributes to overregulation
While the last sections described trends of deregulation and accountability, this section goes into the topic of safety management. Accountability and transparency ideas have made society expect safety management by organizations (Xue et al., 2015). As a result, safety management regulation has become more common, and because of deregulatory inspirations, it is often functional: organizations should implement, use and internally control safety management systems (Baram and Lindøe, 2013). The systems must include documentation of risk assessments and hazardous work task. It should fit the actual activity in the organizations, as the regulations "emphasize the required outcomes of safety management, allowing considerable freedom on the part of the operators of hazardous technologies to identify the means by which these ends will be achieved" (Reason, 2013, p. 175).
Still, it is common that safety management systems do not lead to procedures designed for an organization's operations (Hale and Borys, 2013b). Many practitioners and researchers consider safety management systems in general as too extensive, bureaucratic, and focused on documentation, thus creating a risk rather than ensuring safety (Antonsen et al., 2012;Bieder and Bourrier, 2013;Dekker, 2014;Rae et al., 2018;Walters et al., 2011). And indeed, the time-period after introduction of safety management regulation coincided with a time of more accidents (for example Le Coze, 2013;Maritime Authority, 2015;Oltedal, 2011).
In the safety management systems, the organizations have a strong tendency to include all regulatory expectations, not only safety management. Through these over-achieving systems they hope to absolutely ensure the demonstration of accountability towards financial backers, insurance companies, and other stakeholders, as well as to government (Baram and Lindøe, 2013). This way to manage liability, market, etc, is founded on societal ideas or beliefs on how to be legitimate (Rowan et al., 2006;Røvik, 2007). It is not thought of as a socially created routine, but as rule-like facts and the natural way to behave (Røvik, 1998, p. 19). For example, liability (or tort) law has been shown to result in overly detailed descriptions of task operations-the typical reason offered is that this protects management (Hood, 2007). This context of outsized systems and detailed descriptions is what we in this paper define as overregulation in the organizations.
Standardized off-the-shelf safety management systems may also contribute to overregulation. Consultants in the safety area have created an industry out of offering auditable safety management systems as a commodity Provan et al., 2017). The safety management systems are developed for an industry segment, including its auditors, and take in general tasks for that segment, and ignore others. Following, they can lead to disempowerment, loss of local knowledge, increased bureaucracy, and less hands-on management (Antonsen et al., 2012). Overreliance on such safety management can suppress other organizational functions and increase risk in areas the systems do not examine (Power, 2004, p. 49).
Even those organizations that have made their own safety management systems still have ended up with overregulation due to auditability. The functional regulations' verification requirement: accountability and audit demands far outpace regulatory safety goals and the actual operational work necessary to create safety in practice (Morel et al., 2008;Størkersen, 2018). Organizations must document their safety management in terms that auditors will accept. This makes their safety management auditable rather than practical (or even safe). It seems that regulation disqualifies itself when verification is the chief goal (Størkersen, 2018). These unintended results of the regulations are difficult to change for each organization (Rosness, 2004), and even regulators: A regulatory regime is not empowered to cure this problem by orchestrating all social controls and the factors that shape them into a coherent system for promoting safety because its statutory mandate does not provide it with authority to adjust corporate governance, liability law, private insurance, market forces, and other social controls. (Baram and Lindøe, 2013, pp. 38-39) As we can see, safety management is intertwined in societal ideas of legitimacy, accountability, bureaucracy and deregulation (Størkersen, 2018).

Norwegian fish farming and coastal cargo and their safety management regulation
The two industries investigated in this study play important roles for the Norwegian economy. Both coastal cargo transport and fish farming operations are performed in coastal waters. An operational manager heads the operations, and practitioners make most safety related decisions themselves (or within their own teams). The structure, training, traditions, purpose activities and safety management regulations between these two industries are similar, but not the same.
Aquaculture has recently become one of Norway's largest industries. Salmon farming is the most common and profitable industry branch. Salmon farming companies have grown and merged the last decades, and most companies today have at least a hundred employees, spread across different fish farms along the coast. Each fish farm has a group of employees that perform daily inspections and other tasks, often using boats and operating cranes. In a survey workers stated acute injuries as well as strain as the two main causes for work-related sickness absence (Thorvaldsen et al., 2017). Here, safety management systems have been mandatory since 1996 (Norwegian internal control regulation, 1996). Companies have to implement systematic measures to improve their health, safety and working environment (Saksvik et al., 2003). Initially, the systems were of only theoretical interest (Allred et al., 2005). The idea was that these systems should be simplistic and practical (Fenstad et al., 2009), but safety management systems of many fish farm companies have grown out of proportions and are clearly at odds with the original intentions (Kongsvik et al., 2018). Regulations demand safety management systems with procedures for personnel safety, and systems with procedures for fish welfare, safe keeping, and quality. Different regulators supervise each system. Transport vessels have a long tradition on the Norwegian coast. Norway is a large maritime nation, but only a few of the vessels are used for domestic cargo transport between ports along the coast. These vessels transport sand, asphalt, scrap metal, salt, live salmon, salmon fodder, oil, gas, furniture, general cargo in containers etc. Each coastal vessel has three to ten crewmembers. The ship navigators are either captains/masters or chief officers/mates. This means they are the operational managers, accountable for safety and operations on board. The captain has the overarching responsibility, while the chief officer usually has responsibility for parts of safety management. Navigators are middle managers, with sizable responsibilities. This is similar to operational managers at the fish farms. The ship-owners often own one, two or ten vessels. They follow international safety management regulation issued by the International Maritime Organization that is ratified by the national states, and ratified by Norwegian law. The International Management Code for the Safe Operation of Ships and for Pollution Prevention (the ISM Code) came into force in 1998, and Norway has enforced it since 1999. The ISM Code states that shipowning companies must implement functional safety management systems on every vessel (IMO, 2017). The ISM Code might have some positive effects for safety (Lappalainen, 2016), but it often results in safety clutter (Bhattacharya, 2009). The most recent study shows that even though the ISM Code and corresponding documentation and rule translation might be a benefit for crewmembers, it can be risk-inducing for navigators who perform documentation and rule translation activities (Størkersen et al., 2017).

Method
This is a qualitative analysis of in-depth interviews with 35 Norwegian fish farmers and 10 ship navigators. All interviews were performed during 2017, for two parallel research projects about organizational conditions and safety. Both projects were financed by the Research Council of Norway and followed ethical guidelines. In general, the interviews were semi structured research interviews of 1-2 h. One or two researchers asked one to five respondents about questions from an interview guide, comprising direct questions about safety management, drivers for procedures or improvement of the safety management systems. The interviews were either recorded and transcribed, or notes were taken directly. All transcriptions and notes were anonymized.
The researchers analyzed the interview transcripts and notes manually, using pattern analysis. Many in the industries had similar views, and in Section 5 we illustrate their points through quotes from interviewees that expressed the patterns clearly.

Fish farmers
In aquaculture, more precisely fish farming, we interviewed 35 employees in seven salmon farming companies in the middle and northern parts of Norway. In this paper, when referring to these interviewees collectively, we use the term fish farmers. Eight of them were managers and administrative personnel, and were interviewed at the offices. 27 persons worked, and were interviewed, at the fish farm sites. Of these, approximately 10 were operational managers, the rest were their personnel. Operational managers are middle managers that usually perform the practical work together with their team, as well as have administrative duties and personnel responsibility. Interview topics involved organizational conditions that influenced personnel health and safety, and some of the results are previously published (Salomonsen et al., 2019;Thorvaldsen et al., 2020).

Ship navigators
In coastal transport, we interviewed 10 ship navigators in six shipowning companies. Seven of the interviewees worked on bulk vessels, one on a live fish carrier, and two on fodder and general cargo vessels. The vessels have Norwegian owners, and some are registered in Norway and carry only Norwegian personnel, while others have a Norwegian captain and Asian or Eastern European crew. Six interviews had to be conducted by phone, with one researcher talking to one ship navigator. The other interviews were conducted on vessels, each with one researcher interviewing two navigators. Interview topics were conditions for work and rest, and perceptions of safety, leadership, team culture and safety regulation, and some results are reported earlier Størkersen et al., 2018).

Limitations of the research method
For this particular paper, we only include the interviewees' reflections around overregulation. This is a negative term, connected to extensive safety management-and suggestions for improvement. Thus, the material is negatively skewed: The interviewees' stories about positive experiences with safety management are left out. In the entire data material, only one company (a fish farm company) had a simple safety management system that the employees viewed positively. Some others, although very few, were fond of the safety management. Still, all interviewees had some experiences with and views about overregulation, and thus are represented in the patterns of this data analysis. Some of the topics discussed in the current study as rationales for overregulation, might also contribute to safety one way or another. See more balanced studies by example Størkersen (2018), Kongsvik et al. (2018), Lappalainen (2016).

Empirical results
In this section, we present the empirical data from Norwegian fish farms and coastal transport regarding rationalities for overregulation. The material is categorized in three rationalities: Overregulation because practical work is not easily verifiable; because of managerial insecurity; and because of audit practices.
The problem isthe system is big. You have […] ISM companies, you have audits, you have the Devil and his dam. Chief officer, bulk vessel

Overregulation because practical work is demanding to verify
Both in Norwegian fish farming and coastal transport the interviewees describe overregulation in terms of oversized safety management systems that require considerable attention. One reason for the overregulation is related to the otherwise practical nature of the operations and following professional inclinations. The personnel have traditionally been more focused on core tasks of taking care of the fish, cargo, or vessel, than to make the tasks accountable and auditable.
They won't sit and press keys on the computer all day. Later, it's become more and more that you're to document everything you do. Operational manager, fish farm Fish farms: Safety management systems for fish farmers are a relative novelty, since most of the attention goes to the health and safety of the fish and environment. A fish farm company has several fish farm sites. Earlier, the personnel at each site would perform the tasks according to the local situation. To make the work easier to plan, and understand for the central management, procedures now standardize the routines across sites.
A procedure's there to standardize a task for the entire company. To have a plan behind. Operational manager, fish farm Transport: In coastal cargo, it has the last decades become common that the company managements buy premade safety management systems, to be sure they comply with regulations. According to the interviewed navigators, the purchased systems are made by consultant companies for vessels that have more complex tasks than their.
We lost control when we had to throw away our simple sheets, and got 23 bindings on board. But that was the first ISM system, we have shrunk it later. Chief officer, bulk vessel The operationalization is left to the vessel crews, but they get new systems quite often, and do not have time to make the efforts every time. Therefore, they rather continue to work as before and not according to the procedures that are bought to formally be compliant.
It's common to buy a system and just start using it. It makes it frustrating and acting instead of reality. It makes people loose motivation. Chief officer, fodder vessel Many navigators blame the regulations for the ill-fitting procedures, while others know how the systems relate to the safety management regulation (the ISM Code), and what they can adapt. This chief officer tells how he transforms the system into procedures fitting his vessel: The ISM Code contributes to safety. In conversations, it seems others don't see it like that. Often it's because they don't know enough, they make it difficult themselves, because it's not interaction between what they think and practice. We run trainings adapted to our vessel, but it might deviate from what's described [in our safety management system], for a larger vessel. When we get the system on board, it's often written for another vessel, including the procedures. Then we have the job to make the procedures correspond to what we really do. Chief officer, fodder vessel Independent of the quality of the procedures, the regulation's verification demands make the companies apply paper trails. The interviewees see the documentation as onerous, and more extensive than required.
The paper work you have to sign out all the time, right. It consumes time that I should've spent to, eh, perhaps be a good sailor. And it brings more tasks for you to do, right. Instead, you sit writing reports and check lists and … Captain, bulk vessel

Overregulation because of liability management and managerial insecurity
The size and scope of safety management has grown in both industries over the past decades, and the interviewees state expectation K. Størkersen, et al. Safety Science 128 (2020) 104772 by society as the reason. Societyin the form of managements, insurers, lawyers, regulators, and auditorsis inspired by the highly regulated petroleum industry. Their extensive safety management have proved to be impractical to adapt to fish farming and coastal transport, but it is still treated as the gold standard within liability. So, liability concerns lead company management and directors to desire and implement safety management systems that contain documentation and procedures, even for actions that go without saying or that truly need no (written) specification. Management fear of being accused for having too few procedures thus results in safety management systems that are too extensive and hardly read or used. Fish farms: Many fish farms have, in addition to procedures in two separate management systems, two categories of procedures and instructions. These systems usually are made by office-based safety professionals. The administrative and operational personnel have different perspectives, but a similar understanding of that the procedures mainly are there for liability reasons, and in practice can be ignored, as these quotes describe: Not many have read the procedures, but I didn't have great expectations about that either. To expect that procedures are actively used, that's probably … I don't think one can expect it. Manager for internal control and safety management A lot of this is like … I know it very well. Like "vehicles with certificate requirements are only to be run by a driver with certified training". […] So I don't have to intensively read the procedures to know that I need a license to drive the forklift. Operational personnel, fish farm In fish farm companies, office and operational personnel underline that their actions are closely watched by shareholders and media, and that bad attention can harm them.
If we don't have things in order or have the procedures, questions will be raised regarding why we didn't have the right procedures or did this instead of that. Manager for internal control and safety management, fish farm company We need to have a procedure for every work task. If something went wrong during work and we didn't have a procedure for that task, one gets hung. Operational manager, fish farm In addition to liability reasons, the fish farmers are concerned with legitimacy. They state that their safety management systems have grown in size because surrounding actors expect satisfactory safety management. Consequently, the perception about how safety management relates to good safety culture have spread in the industry.
We've looked around us, what's happening other places regarding safety. We're taken seriously, and the workers are our most important resource. Operational manager, fish farm Due to market reasons, it also has become common for fish farm companies to engage in private certifications. In addition, insurance companies have their own safety management audits.
Transport: In transport, however, stakeholders other than government are not as concerned with safety management. Yet shipping companies have clear rules for audits, and they all need their ISM certificate to stay in business. Given that margins are small, the industry typically seeks the cheapest safety management systems that has the chance of being approved in audits. The procedures in many of these pre-made systems are much more complicated than needed: The company might not have taken a closer look at it. They buy a commodity, but it was made for a large offshore vessel, and we get their procedures. That's the tendency, that we get their procedures, but we don't have the corresponding operations and training. Chief officer, fodder vessel Sometimes the procedures seem to be implemented because of misunderstandings of (or insecurity about) the requirements. Demands for "documentation", for example, can be taken in all kinds of ways: A lot of the paperwork seafarers talk about is self-induced. I've thrown away many loose-leaf bindings because the company had a rule that all HSE meeting memos had to be put in a binding on a shelf. Chief officer, live fish carrier Many seafarers consider blame avoidance to be the main reason behind today's safety management regulation. This requires that there are clear procedures for all tasks, and enforcement of them: I think the intention was that they wanted someone to be responsible. Many call it the World Championship in liability disclaim. On a vessel, much is pushed from company management to ship management. And it's up to them to keep … make it work in practice. You get lots of procedures and instructions and all this, and you're to plan your day so everything's complied with. Which is close to impossible, in many cases. And if you do something that isn't compliant, you put your head on the chopping block. If it blowsit's your responsibility. Chief officer, bulk vessel

Overregulation because of auditor expectations
Companies desire safety management systems that most certainly will be approved. This means systems that comply with regulation (which in practice manifests as textual documentation for everything, and procedures covering all activities), and which are easy for the auditor to understand. Managers are conscious that standardized systems with standardized procedures are likely to make the auditor recognize the content and be confident that the system is compliant.
Fish farms: Safety management audits at fish farms are performed by government, insurance companies and non-governmental certification organizations. Private certification and insurance companies require extra procedures and training on top of government regulations, for example about how to run a crane, or prevent fish from escaping: Our internal rules are stricter [than government's], the way we do it. It is. Our basic equipment and such, it's much stricter than the governmental requirements.
[…] It's for the best for the people. You continuously think about what could happen, worst case, and what can prevent it, how to solve it. Operational manager, fish farm The private audits are more extensive and frequent than the governmental.
It makes us practice on the small things that you usually don't think about in everyday work. The more you practice, the more you keep it in mind.
[…] At first, it was a hustle, since we got maybe a hundred items to improve. But now … we mostly get only half a nonconformity. Operational manager, fish farm The sheer frequency makes fish farmers familiar with audits, auditors and how to be audited. The interviewees imply that one needs to know each auditor since they all have a different focus, despite the goal of standardization.
When you know them, you know where to focus. If this one is coming, you need to focus on this. If he or she comes, you must focus on that. It varies. Some might easily pass by a crane that looks like shit, that isn't approved any more. One [certification auditor] used to be a factory manager and experienced a large accident with chlorine, acids and bases, and she had a huge focus on that. Not on other thingsthat was "well well, not that important". So it's very dependent on person, everything really. It's the same in governmental supervisions. Extremely dependent on person. It could've been more similar. But sometimes it's okay that it's personal.
[…] But the approaches shouldn't be that different. Responsible for internal control and safety management, fish farm Transport: In Norwegian coastal transport, safety management systems are mainly audited to be ISM certified and thus be able to operate. The idea that standardized systems are easily auditable further drives the companies to buy pre-made safety management systems. The navigators stated that purchasing auditable safety management systems with which to fulfill safety management regulations might get them through audits, but does nothing to improve safety.
It's easy for the ship-owner company to get zero nonconformities and comply with what's to be complied with. And so it won't be adjusted [to our activity]. They just buy the product and are through with it.
[…] You bring apples to school to please your teacher, but you're not getting full yourself. You don't help yourself. Chief officer, fodder vessel In cargo, too, practitioners get familiar with the auditors and the concept of safety management auditing, and are able to prepare for each auditor. Underlining that auditor-specific adjustment might not drive safety in the long term, one captain compares the industry practice with children's conditioning: We answer what we know our parents want to hear. That's very smart to answer, it keeps us out of trouble. Captain, general cargo vessel Despite all this, even documentation based on off-the-shelf safety management systems can generate nonconformities. Each nonconformity creates a "case" that has to be "closed" by the company. A common measure to close the case is to insert a new procedure, since this can be achieved relatively cheap and will make the auditor approve the system in the next round. Still, there is an understanding that the auditors at all inspections will find something that the seafarers did not think about: One example. A procedure says we need to plan the voyages. And we plan each voyagethey're all the same. And we got a nonconformity because we don't plan each voyage.
[…] It gets registered in their system that we have a nonconformity, and the ship-owning company isn't happy about that. It influences our certification and has to be improved and closed. Chief officer, fodder vessel Then a final twist: seafarers have started considering internal audits positively, since they prepare them for the official audits on which their certification depends. Some years ago they would not be satisfied with any audit, but the mindset has changed. We found no evidence that anybody believes that this improves their company's safety, but at least it helps them assure continued certification: We have annual audits onboard. You might safeguard yourself all you want, but it's always a good thing when objective eyes take another perspectives than you. At another vessel, my coworker and I thought everything was ok, but we were stripped naked. He saw everything we ourselves had become blind to. Chief officer, fodder vessel

Mechanisms leading to overregulation
For years, the signs of overregulation in many industries have puzzled regulators, industry actors, and the public. Our study traces how the company-internal overregulation structurally relates to government deregulation through at least three empirical noticeable mechanisms: Making work auditable, managerial insecurity and liability, and audit practices. These mechanisms relate to underlying societal traditions, leading deregulation to turn into overregulation in the meetings with market, bureaucracy and control of work variability.

Making work auditable
First, we find that overregulation occurs when work has to be limited into auditable documentation. In variable operations, like the operations in the Norwegian fish farm and cargo industries, the very concept of regulation is closely related to overregulation. As foretold by earlier studies in ocean-based industries, classic safety interventions (which typically involve more documentation) challenge the classical notion of seamanship, and involve a risk of practical drift (Antonsen et al., 2012;Knudsen, 2009;Morel et al., 2008;Oltedal, 2011;Størkersen, 2012;Thorvaldsen, 2013). Many experience that safety is trapped in rules (Bieder and Bourrier, 2013). Some interviewees describe their practical craftsmanship and native resilience: a high level of adaptability, based on expertise and experience, linked to an exposure to frequent and considerable risk, where ultimately each operational team is responsible for their own safety (Morel et al., 2008).
Native resilience can be seen as a traditional safety strategy, since work is highly varied, intangible and inauditable in nature, and thus may be one of the mechanisms leading regulators and company managers to strive for formal and standardized safety management. The varied real operations are difficult to document. Still, control of work is aspired for by both companies and regulators, so work has to be made legible (Scott, 1998). Then, the local situational context and variability has to be changed into something auditable (Almklov and Antonsen, 2014;Power, 1999).
The bureaucratic methods of accountability depend upon activities and situations of each local context being translated into slots on the accountants' sheets (Almklov et al., 2014, p. 27).
The easily auditable systems that the fish farmers and navigators describe, fit with traditional bureaucratic measures for demonstrating accountability. Companies need to document their operations in a standardized manner in order to be verified and checked in a standardized manner, laying the grounds for an audit loop (Jensen and Winthereik, 2017).
In further studies, it should be interesting to trace how presence of various work practices might have inspired regulators' and company management implementation of detailed regulations and procedures, both historically and nowadays. Local differences probably have influenced regulations themselves, and, consequently, company procedures and responses to regulation.

Managerial insecurity and liability
Second, our study reveals signs that overregulation results when functional regulation meets managers' accountability routines. In most functional regulations, verification is essential. A long line of procedures grows out of management fear of being written up by auditors for having too few procedures or not covering essential issues. A combination of liability law and functional regulation implicitly urges leaders to prove that they have taken all practical measures to protect their employees (Jacobs, 2007). Since managers are insecure of how to comply with this and think they are powerless against the forces of control and accountability (Størkersen, 2018), they secure themselves through over-specified procedures (Rae et al., 2018). Especially, liability concerns can compel an organization's leadership to implement written procedures even for actions that go without saying, to make the employees accountable (Hood, 2007). Dismantling state regulation has been shown to lead to more litigation, more mistrust, and more lawyers (Johnstone, 2017). E.g., in 1990, there were already more lawyers in the US than farmers (Albert, 1993). Juridical support from lawyers and consultants has also become common in the industries in the present study.
This suggests that there is a clear need to develop new ways to show due diligence in relation to regulatory requirements. Rolston (2010) offers a beautiful example, in mining, where work crews deliberately avoided using bureaucratized safety systems, and instead built on their collective responsibility for mitigating risk by reframing official safety programs in terms of kinship-specifically the ties of relatedness crew members create with each other in their everyday work. Encouragingly, "management eventually adopted this framing as well in order to distance themselves from an industry blighted by conflict, encourage employees to stay in the midst of a labor shortage, and maintain enviable safety records" (p. 331). In fishing, seafaring and fish farming, similar operational practices have been described among sharp-end personnel, but here, the informal safety practices have existed in the shadow of the formal safety management systems (Bhattacharya, 2009;Bye and Lamvik, 2007;Størkersen, 2012;Thorvaldsen, 2013;Vandeskog, 2015). Such kinship relationships are likely to still be present in Norwegian fish farming and coastal cargo shipping. In the future, management could harness such informal safety practices, rather than overcompensating through formal safety management.

Audit practices
A third mechanism for overregulation, closely related to the managerial insecurity among the studied companies, occurs when functional regulation meets audit practices. Managers desire safety management systems that will easily be approved by auditors. In practice, this means the system includes textual documentation for everything, procedures covering all activities, and presents a standardized structure. In coastal transport, where budgets are marginal (Lindøe et al., 2011), standardized safety management systems which sail through audits are highly attractive. In fish farming, where profit is high and the organizations larger, slam-dunk audits and standardization across subdivisions are still sought-after. This is recognizable in other industries too.  explain: …companies are expected to have transparent standardized systems for control. For external auditors and authorities, it is primarily the systems that are subject to control and regulation… safety standards should be seen not only as attempts to ensure safety and interoperability but also as a means of making safety work transparent across contexts. If workers perform tasks as the standards prescribe, they are compliant, at least from an accountability perspective, and this compliance is transparent to regulators and others without having to further investigate details of the local setting… [Yet] the rules, which are made to be applicable in several different settings, are more complex, more abstract, and less locally relevant than what is optimal for each setting… (pp. 26-27).
However, informants in the present study indicated that safety management audits are far from similar and objective, but rather quite subjective, contrary to the bureaucratic image they project. We also find that the understanding of 'documentation' is narrowly practiced, limited to textual documentation, even though safety management regulations open up for different types of documentation and verification. These findings show that an auditing regime is one important reason why simple deregulatory measures cannot be transformed into simple systems inside companies (Størkersen, 2018). It is possible to imagine other ways to develop and document systems, like for example Rolston (2010) and Dekker (2017) have shown with practical safety management and trust instead of traditional audits, and thus change what is auditable. This, as most of our findings, boils down to society's beliefs in achieving control through verification of companies' actions, which we continue to urge at the same time as we expect deregulation (Røvik, 2007).

Overregulation when deregulation meets market, bureaucracy, and control of work
The three described mechanisms leading to overregulation are influenced by deregulation, but also to a large degree based in other traditions. Regulatory means, whether it is deregulation or other, are applied in a society that already is full of ideas for how an organization should operate. We have clear beliefs of how companies should behave within a market or a bureaucracy, or to control work (Røvik, 2007). Let us look into deregulation and how its consequences are entangled in such traditions.
Regulation is one measure to make companies operate according to societal values. Deregulation was implemented to ease the resources and power used by state actors, pushing the responsibility to the regulated companies. This was a reaction to governments' overregulation in earlier decades. For example, a large number of detailed safety rules made with great efforts by US regulators, was by the companies perceived as impossible to comply withand thus lead to underregulation (Mendeloff, 1981). In today's functional regulation, companies are to make systems and procedures adequate to their business. However, when the mandatory governmental rules are few, it is difficult to understand what is auditable. Thus, the responsibilization of the companies have shown to complicate enforcement and compliance (Baram and Lindøe, 2013;Rae et al., 2018). This study displays how functional regulations open up for bureaucratic and market influence on the safety management systems.
When the expectations from government are confusing, a familiar straw many cling to is the bureaucratic measures of standardized auditable documentation and audits (Hood, 2007;Power, 1994Power, , 2004. Even though documentation and verification are common bureaucratic ideas, in safety management they do not support the basis of bureaucracy, equality for the law, as audits have different focus and companies make systems based on it. It seems accidentally how much this bureaucracy overload enhances safety (Størkersen, 2018).
As we have seen, the vagueness of demonstrating compliance makes companies receptive to any help they can get, and this is where the market comes in to meet the need. Our study illustrates how functional regulation creates insecurity and lead both industry actors and regulators to depend on buying services and systems from consultants with overspecified safety management systems. It is unlikely that this kind of regime changes without substantial (inter)national initiatives against beliefs in the superiority of market solutions for every societal problem.
A more subtle illustration of how market traditions are intertwined in safety management is the studied practitioners' engagement in corporate legitimacy. Through safety management they want to demonstrate accountability, so their company can sustain customers and stay in business (as also explained by Hohnen and Hasle (2011)). They are very concerned with written documentation and logs, and what auditors will accept or not, beyond the mandatory regulations. The emphasis on legitimacy is not necessarily connected to this regulatory regime, as even Mendeloff (1981, p. 51) saw that companies would accept and follow regulations in order to show "social responsibility, fear of liability, a desire for competitive advantage". In the present study, this desire for legitimacy was found as well. This is especially clear in fish farming, where the companies rely on a good reputation to get licensed to increase production (Osmundsen and Olsen, 2017). In transport, this is more indirect, as their regulation is mostly concerned with fulfilling regulations without any non-conformities. Both strategies, however, lead to a need to demonstrate compliance, and both fish farmers and transport companies described how they tailor the audits toward an individual auditor. What seems not to have been described earlier is that we observe an auditism among the practitioners, who will go great lengths just to be auditable. When tasks are done to be auditable rather than because they are useful, and later they are audited on the same indicators as they were performed because of, we get audit loops (Jensen and Winthereik, 2017). Audit loops are perhaps the most perfect achievement of bureaucratic accountability: a system of checks and verifications that has become consistent only with itself, and that has less and less to do with the way risk might be building up outside the administrative self-referential knowledge bubble. Turner studied this in the 1970s, referring to the 'incubation period' during which an organization's administratively constructed picture of the world and its hazards slowly drifts away from what actually matters on the frontline. Oversized safety management systems require attention, and as attention is a scarce resource, the systems might function as 'decoys' (Turner, 1978). The fish farmers and navigators of the present study all describe their safety management in terms of accountability, documentation, and audits-not in terms of practical goals, or work, or risk, or safety. Yet, as has been emphasized in several studies, unpredicted risks may require an opposite approach to following rules, using practical experience and the ability to improvise (Hale and Borys, 2013b; Hohnen and Hasle, 2011).
Overall, we can see that when deregulation meets societal traditions of how an organization should behave, it can lead to overregulation. We have illustrated that traditions of bureaucracy, market, and the control of work steers safety management system implementation in unintended directions (as also discussed in Dekker (2017); Størkersen (2018) and others). On the one hand, Mendeloff (1981) described how overregulation led to deregulation because of regulators and industry actors' abilities and willingness to implement the rules. For Norwegian transportation on the other hand, Rosness (2004) foresaw that coordination of safety-critical tasks would need detailed industry standards on top of the governmental functional regulations, making deregulation result in increased regulation. Independent of regulatory strategy, it is difficult to find the balance of freedom and control, for regulators and for managers. Thus, it might not be farfetched to discuss some form of a rule homeostasisthat deregulation will lead to at least as many rules as other types of regulation.
This study has traced how governmental deregulation can turn into industrial overregulation, using examples from the Norwegian fish farming and coastal transport industries. Based on empirical data, it shows how overregulation is the result of organizational mechanisms like making work auditable, managerial insecurity and liability, and audit practices. These mechanisms display how functional regulation, as a deregulatory measure, can lead to overregulation when it interacts with other traditions of how organizations demonstrate accountability. Organizational expectations of market doctrines, bureaucracy and control of work, turn simple regulations into very detailed, cumbersome procedures inside an organization-ever increasing the distance between how we think work is done, and how it is actually done.