Considerations for Worker Safety

What are the Definitions of Any Technical Terms Involved?

Who's Responsible and What are They Responsible For?

State regulations specify required actions when wildfire smoke affects outdoor air quality at five different AQI values and action levels. WSU had to determine which administrative offices would be responsible for managing and performing the various actions needed to deal with smoke events:

• Campus Environmental Health and Safety (EHS) offices: Monitoring air quality; notifying departments/units, workers, and students by email of air quality risks; and providing applicable information resources.
• Campus Facilities Services offices: Operating facility heating, ventilation, and air conditioning (HVAC) systems to reduce indoor PM 2.5 concentrations whenever feasible; work with building occupants to keep all windows, doors, and other exterior openings closed as much as possible.
• Research and Extension Centers (RECs): Notifying REC facilities, farms, and workers of air quality, risks, and applicable information resources.
• Departments/Units: Enforcing the policy; establishing effective methods of communicating air quality risk notifications to workers who don't have access to email.

What Actions are Required?

Why is Wildfire Smoke Exposure a Concern?

Creating Your Own Policy

Risk Management Policy Considerations

Identifying, minimizing, and controlling exposures to loss are important functions for all institutions.  Most of you have already implemented a risk management policy for your college or university, or are in the process of developing or updating one.

My institution, Washington State University (WSU), published an administrative Policy on Risk Management (EP6) in January 2019.  In August 2023, we finalized a revision to EP6 which included a number of new approaches for overseeing this process that I thought I'd share for your consideration.

Enterprise Type—Campus or System

WSU has multiple campuses in various parts of the state, plus an online (global) campus.  For many years, our Pullman campus was our main administrative hub.  A few years ago, the administration decided to move to a systemwide management model, with each campus, including our flagship Pullman campus, led by a separate campus chancellor, who in turn reports to our system president. 

Some administrative functions are best served by specific campus oversight, and some are best served by systemwide oversight.  International standards encourage an enterprise (systemwide) approach to risk management.  WSU follows International Organization for Standardization (ISO) 31000: 2018—Risk Management Guidelines to identify potential obstacles or occurrences that could threaten an enterprise's ability to meet its mission and goals.

Enterprise Risk Management Software

The state of Washington also encourages an enterprise approach to risk management by state agencies, of which WSU is one.  To facilitate this, the Washington Department of Enterprise Services (DES) provides software modules to the risk management offices at all state agencies to assist with risk identification and rating, risk controls, and planning for managing risks.  The software that DES selected to distribute is the Origami risk management information system. The software platform integrates insurance, risk, safety, and compliance solutions.

I found this addition to our policy rather fascinating, as I'm a fan of tech solutions.  Since the software is distributed directly to our RM office only, little direct information was put into our executive policy.  If you're interested in investigating this further, go to the link above to get more information from the manufacturer's website.

Administrative Oversight

WSU decided to implement a four-level approach to administrative oversight of risk management:

1. Risk Management Executive Committee (RMEC):  RMEC is a presidential committee that provides executive oversight for enterprise and operational risk. It oversees the Enterprise Risk Management (ERM) process. RMEC also provides guidance to the Risk Management Advisory Group (RMAG) and Risk Management (RM) office.
   
2. Risk Management Advisory Group (RMAG): RMAG is appointed by our Executive Vice President of Finance and Administration. Its membership is representative of system units engaged in daily risk management. Units may request to join RMAG through the Risk Management Office.
   
3. Risk Management Office (RM): The RM office at WSU is a part of Compliance and Risk Management under Finance and Administration. RM coordinates and evaluates the risk management program for the WSU system and has responsibility and authority in four primary areas:
• Risk awareness, assessment, and assistance services to units and personnel;
• Coordination of systemwide risk committees;
• Managing and administering insurance coverages and related services to units; and,
• Reporting risks, accidents, injuries, liabilities, and other risk management activities to university departments and applicable state and federal agencies.


4. Individuals and Units: Individual employees, departments, and units are responsible for taking steps to reduce the risk of injury and accidental loss to the greatest extent possible, consistent with carrying out the institution's mission and goals. RM is available to provide assistance to individuals and units, as needed.

Every institution handles risk management processes differently, but as we've all found, it is a good idea to formalize a policy for managing risks.  I hope what I've shared from the WSU perspective helps you start or continue your own conversations about developing or revising risk management at your institution.

Implementing a "Policy on Policies"

If you've been in the policy administration business for any length of time, you've likely heard about, considered, and/or implemented a "policy on policies" at your institution. For those of you who don't already publish such a policy, I thought I'd discuss why I believe that it's a valuable tool to have in place.

Policy development is an important function, but getting administrative buy-in and notice of the importance of consistent policy development and tracking is sometimes difficult. Having a "policy on policies" provides an agreed-upon process for developing, reviewing, and approving policies, and ensures better compliance with the rules, regulations, and agreements that govern the business of higher education.

Here are some things to consider when creating or updating a policy on policies at your institution:

• Applicability
• Equity Review
• Required Policy Review and Approval Steps
• Templates or Framework

I'm also providing brief descriptions below of how we've chosen to handle these considerations here at Washington State University (WSU).

Applicability

Do you want a policy on policies that applies to all or only some policies?

At WSU, as with many public research universities, we have many types of institution-wide policy publications in place -- administrative policy manuals, academic policies and procedures, personnel manuals, research-related manuals, and our Washington Administrative Code (WAC) regulations.

When we first published an executive policy on policies, our administration decided to apply it to all policies except academic and single-unit or single-campus policies and procedures. The policy at that time outlined a draft/review/approval process that all policy publication departments were required to follow. Our policy on policies was revised recently to apply only to policies intended for publication in the four administrative policy manuals and the WAC regulations, which are managed by my office.

Equity Review

Do you want to include an equity review requirement in your policy on policies?

Our administration, including academic leadership, recently approved an equity review process, which includes an equity lens tool. My office agreed to publish the equity lens tool from our new Policy Development website, and to include discussion of the required process in the policy on policies.

Equity lens review includes review and approval both during the policy discussion phase and during the formal drafting and review phase of policy development.

And in the interest of increasing transparency and WSU community input, our Policy Development website includes descriptions of administrative policies under development and copies of drafts of the policies under review. (Copies of administrative policy drafts are available to WSU members only.) Copies of proposed WAC amendments continue to be published through the Washington State Register (WSR), and our Proposed WACs website links to the WSR proposals and public hearing information.

Required Policy Review and Approval Steps

Do you want to include specific actions for policy developers to complete when requesting new or revised policies, or removing policies? Do you want to have separate processes for major revisions and minor revisions?

In order to ensure that steps such as conducting the equity review, involving my office (for preparation and process oversight), and obtaining approvals from necessary administrators are completed, we decided to include step-by-step process instructions in our updated policy on policies. Our administration agreed to allow an abbreviated approval process for minor revisions.

Our policy on policies also includes periodic review requirements. For the most part it was decided to make the applicable administrative departments responsible for periodic review, as my office has a very limited staff (just two of us).

Template or Framework

Do you want your policy developers to use a template, or will you provide a policy framework to them for reference?

As I wrote in a previous blog a year or so back, we had for many years not required templates for policy development, but instead provided framework recommendations upon request. However, our compliance administration decided to implement a template for our executive policies and a template for our business and safety policies and procedures. (Links to these policy templates are available from our Policy Development website In the interest of moving forward with the updated policy on policies requirements as soon as possible, we have not applied the templates to our existing policies, but plan to restructure our policies as revisions occur. (Again, this is mainly due to staffing limitations and workload.)

In conclusion, if you haven't already implemented a "policy on policies," I highly recommend doing so. Having one in place greatly assists both policy developers and members of the policy administration office, by providing readily-accessible guidance and structure.

Note to ACUPA Members

Be sure to look at the ACUPA Templates and Other Tools webpage for samples to use to guide policy development, revision, review, and removal. These templates, guides, and tools have been developed from samples provided by policy administrators at multiple institutions and can be invaluable resources.

Framework Recommendations Instead of Templates

In conversations and webinars with other policy administrators, the debate about whether or not to use templates for writing and developing policies continually comes up. A number of institutions mandate the use of one or more templates for their users who want to develop policy and/or procedures documents.

I've worked for the past 25 years in the administrative policies office for Washington State University. We've chosen not to use a template for developing the administrative policies and/or procedures our office publishes. We do have a style guide, but it’s mostly involved with formatting and layout so that sections and policies have a uniform “look.” Our choice has predominantly been based on the idea of providing flexibility to our subject expert departments as they update or add new sections to our long-established administrative policy manuals.

In accordance with WSU's executive Policy on Policies (EP5), departments may begin development of their administrative policy/procedure rough drafts prior to bringing my office into the process or may request our assistance with developing the drafts from the beginning. As subject expert administrators get started, we do occasionally get requests for policy framework guidance from those who are new to policy writing and development.

Here’s a general outline that my office recommends for writing a new policy or policy/procedure section for placement in one of our administrative manuals:

• Overview and/or Policy Statement
  
  It’s sometimes useful to have both. If a section is especially long, placing a set of links to subsections in the document in the overview can be useful. For examples, see the beginnings of WSU's policy sections EP8 and EP38.
  
  In a section that's predominantly procedural, an overview might be more appropriate as a place to provide a summary of or references to the applicable policy.
  
  
• Purpose
  
  A purpose statement provides a brief description of the purpose of the policy and/or activity. In some cases, a purpose statement is provided in an overview or policy statement.
  
  
• Scope
  
  A scope statement describes the limitations or boundaries of the policy/procedure. Some writers choose to combine scope statements/subsections in either an overview or policy statement or within an applicability statement.
  
  
• Applicability
  
  An applicability statement or subsection describes the members of the institution's community (internal and/or external) directly impacted by the policy and/or expected to follow the policy/procedures.
  
  
• Roles and Responsibilities
  
  Roles and responsibilities statements provide a summary of the actions and/expectations each employee or role category is expected to fulfill with relation to the policy/procedures.
  
  
• Requirements
  
  Policy requirements are provided in this subsection. If procedures are included, any required procedural steps would be provided in the order the actions are to occur.
  
  
• Procedures (if applicable)
  
  Some institutions choose to keep policies and procedures separate. At WSU, we have quite a number of combined policy and procedures sections in our administrative manuals. For the most part, we recommend publishing procedures and policy/procedures within our business and safety manuals. However, we do have a small number of executive policies in which the executive administrators insisted upon including both policies and procedures.
  
  
• Definitions
  
  We recommend providing definitions applicable to the policy/procedures in their own subsection, especially if terms are used that are specific to a subject and/or include jargon. If there are only one or two terms that need to be defined, the definitions may be included directly with the reference.
  
  If this subsection is short, it might be placed after the applicability statement. However, if the definitions list is longer than a page, we often recommend placing the subsection at or near the end and providing an internal document link and/or reference, if needed, earlier in the policy.
  
  
• Additional Resources
  An additional resources subsection provides descriptions or lists and references (e.g., website URLs) including, but not limited to, supporting department contacts, state and federal agencies' websites, other supporting or related institutional policies and procedures.

Every policy office and institution handles their policy development process differently, and there's really no right or wrong answer. Does your institution mandate policy/procedure templates? Or make framework recommendations? Things to consider for both you and your users…

NOTE: ACUPA members have access to a number of resources, including templates, samples, and other tools that you may find useful in writing and developing your policies and procedures. To access the Templates and Tools under the Resources tab, sign in as a member.

How Safe Is Your Data? And Who Do You Tell If It's Not?

Data security and data privacy issues aren't new to higher education. But the pandemic years ramped up remote access to all institutional systems and increased administrative awareness of the compliance risks which accompany our increased electronic operations. Not only are administrators increasingly concerned with addressing these risks, but state and federal legislation has increased the requirements for the management and protection of institutional data, as well as notification to members of the public (including students and other clients) regarding data breaches.

My institution, Washington State University, beefed up its policies and procedures on system data and information security in 2020. Along with revising two executive policies (EP8 on data policies and EP37 on information security), our administrative policy office published a new chapter on information security in our Business Policies and Procedures Manual (BPPM) with seven new information security sections. (See BPPM Chapter 87.) And at the end of 2020, we published an executive policy on the requirements and responsibilities related to the university's designation as a HIPAA hybrid entity. (See EP40).

Our administration recently provided the rough drafts of two new BPPM policies to my administrative policy office for draft preparation and approval routing. One is a policy with related procedures regarding responses to information security incidents and breaches. The other concerns responses to breaches of protected health care information (PHI), which is planned for insertion into a new BPPM chapter on information privacy. The two policies will be linked through a new investigation process which is extensively outlined step-by-step and is to be used for both types of information privacy/security breaches. We hope to have these new policy/procedures sections approved and published by the fall, so you're welcome to revisit our BPPM for reference.

In conjunction with these new policies and procedures, our administration is updating the WSU system data and information security policies and procedures to address issues such as protection of WSU systems, services, devices, and data, including systems and data managed for the university by third parties and external cloud systems.

I'm sure that we're not the only institutions who are working on these types of policies. Are you and your administration working on data security and data privacy policies? Have you addressed how your institution will respond to data breaches?

In trying to understand the reasoning behind our administration's request for these policy changes, I did some looking around to see what recently published news and resources might be available. Here's what I found – I hope this information is useful to you.

• https://library.educause.edu/topics/cybersecurity/data-security
  (EDUCAUSE -- Information portal includes links to a number of helpful articles on data security, cloud security, data breaches, and data privacy)
  
  
• https://techbeacon.com/security/why-safe-harbor-best-way-forward-data-protection
  (July 2, 2021; TechBeacon (author: Stan Wisseman)
  
  
• https://thehill.com/opinion/technology/550959-massive-school-data-breach-shows-we-need-better-privacy-policies
  (Apr. 29, 2021; The Hill (authors: Williamson M. Evers and Jonathan Hofer)
  
  
• https://www.brookspierce.com/digital-media-and-data-privacy-law-blog/data-breach-defense-for-educational-institutions
  (June 16, 2021; Brooks Pierce (author: Will Quick) – Article includes steps to minimize risks)
  
  
• Research data breaches:
  https://er.educause.edu/articles/2021/6/research-raiders-how-to-protect-collaborative-data
  (June 8 2021; EDUCAUSE; Includes proactive safety steps)
  
  
• Data privacy law changes effective 2023 that may require policy changes:
  https://www.jdsupra.com/legalnews/10-key-differences-between-the-2023-5939867/
  (July 1, 2021; JD Supra (authors: Mark Brennan, Ryan Woo, Hogan Lovells))