BOKRIM Thinking

Compliance is not risk management

Like anything, how you think about risk management depends on your perspective.  For some, risk management is a tool that enables them to seek out greater risk in search of greater reward.  At the other end of the spectrum, risk management is a burdensome but necessary expense of running an organization:

  • Burdensome because risk management – in its traditional form – is about trying to prevent negative events that are inherently rare anyway so, most of the time, risk management expense has no obvious return.
  • Necessary because negative events, even if they are rare, still happen.

It is because risk management is burdensome for so many that it is also, often, compliance-driven.  For organizations that link risk with reward, forcing compliance is unnecessary.  But some organizations just need to be required to do the right things and others are happy that doing the right things is made easy for them.

The problem is that compliance and risk management are different types of activity that are incompatible with each other.  Compliance is what an organization is required by someone else to do; risk management means an organization develops their what based on their own why and how.

Compliance = what

Compliance causes organizations to follow or obey a set of rules. Rules are a set of explicit regulations governing conduct in a specific activity or sphere and are usually:

  1. designed to ensure something isn’t done badly, not that it is done well;
  2. one-size-fits-all, so they can be used by as many different types and sizes of organization as possible;
  3. biased (in the technical sense) because they are usually generated in response to an immediate need and with analysis that informs their development rarely encompassing any information beyond the experience of the membership of the group the rules are intended to cover, even when the underlying issue is far broader in scope; and
  4. slow to adapt because regulators always move on to the next immediate need and any “adaptation by design” has to accommodate the least adaptable entities the rules cover.

Rules are always compromises.

Compounding this inherent limitation, complying with rules offers no return other than that an organization is compliant.  So, while failure to comply has risks and costs, compliance activities and expenses rarely exceed what is needed to comply.

Sexual abuse and misconduct (SAM) is a risk that today is almost exclusively managed by compliance.  Whether it is a safe environment approach developed by the Catholic Church, a SafeSport approach, or a safe something else, most organizations looking after minors or vulnerable adults are required to follow certain the four pillars: policies and procedures designed to prevent abuse, background checks, training, and mandatory reporting.

The problem is that taking a compromised set of standards, and only requiring organizations to do enough to comply with them is the opposite of risk management.  It means telling organizations what to do but not why or how.  Applying such an approach to managing SAM risk is why minors and vulnerable adults are far less safe from SAM than they should or could be, why trust in youth-serving organizations remains so low, why statutes of limitation are being extended, suspended, and eliminated, and why insurers are withdrawing coverage for SAM.  For minors and vulnerable adults to be as safe from SAM as possible, SAM risk should be managed as well as possible, not by using compromised standards minimally applied.

Risk management = why, then how, then what

If management is finding the most effective combination of planning, organizing, staffing, directing, and controlling to achieve an objective, and risk is either preventing and mitigating the consequences of negative events or the effect of uncertainty on objectives, risk management is finding the most effective combination of planning, organizing, staffing, directing, and controlling to either prevent and mitigate negative events or minimize the effect of uncertainty on objectives.  In either case, its practice is almost the exact opposite of compliance.

Compliance means doing what you are told; risk management means figuring out how to get what you want amid uncertainty.

Finding ways to achieve core objectives is the focus of enterprise-wide risk management (ERM).  ERM enables organizations to focus on risk in terms of how an underlying hazard or the management of the risks a hazard poses makes it as likely as possible the organization will meet its core objectives.  ERM means an organization:

  1. explores why a risk is important to it, so the organization can develop an objective or set of objectives for managing the risk that is consistent with its core objectives;
  2. develops a plan for how it is going to manage the risk; and
  3. implements, monitors, and adapts detailed activities – it’s what – that ensure its objectives are met.

Though some organizations will still need to be required to do the right things, most, if they have the necessary will act in their own interest.  To any organization looking after minors or vulnerable adults, SAM risk will almost always be one of its most important risks.  Managing SAM risk well with ERM will always support achievement of the organization’s objectives.  Not managing SAM risk well, even if SAM doesn’t occur, will at best make no difference to the achievement of objectives and, at worst, make it impossible for the organization to meet its objectives.  Managing SAM risk with compliance instead of ERM is as damaging to organizations managing SAM risk as it is for minors and vulnerable adults who are less well protected by compliance than they would be by ERM.

Compliance has hitherto had to be used to manage SAM risk because ERM capabilities have been beyond the reach of most organizations that look after minors or vulnerable adults.  The problem is a lack of information. There has been no way:

  1. to identify the most effective ways to perform most SAM risk management activities;
  2. for organizations to customize their SAM risk management systems to accommodate their activities with practices that make the most sense to them; or
  3. to reward organizations for doing more than the minimum to comply with SAM-related rules.

BOKRIM’s purpose is to ensure minors and vulnerable adults are as safe from SAM as possible by:

  1. providing a framework in which any organization can manage SAM risk using ERM;
  2. identifying the most effective ERM-based SAM risk management practices,
  3. showing an organization what its choices are for making SAM risk management decisions that are best for it; and
  4. providing the means for stakeholders to see the resulting quality of the organization’s SAM risk management, to trust what they are seeing, and therefore to be able to reward the organization – as some SAM insurers offering premium discounts have already started to do for BOKRIM users.

By enabling organizations to use ERM to manage SAM risk, BOKRIM transforms SAM risk management from a burdensome necessity into a system that protects minors and vulnerable adults better than compliance approaches, as well as making it more likely organizations managing SAM risk will meet their core objectives.

Like this article?

Leave a comment