Compliance is not risk management

Like anything, how you think about risk management depends on your perspective.  For some, risk management is a tool that enables them to accept greater risk in search of greater reward.  At the other end of the spectrum, risk management is a burdensome but necessary expense of running an organization:

  • Burdensome because risk management – in its traditional form – is about trying to prevent negative events that may be inherently rare so most of the time, risk management expense has no obvious return.
  • Necessary because negative events, even if they are rare, can still happen.

It is because risk management is burdensome for so many that it is also often compliance-driven.  For organizations that link risk with reward, forcing compliance is unnecessary.  But some organizations need to be required to do the right things, and others are happy that doing the right stuff is made easy for them.

The problem is that compliance and risk management are different types of activity incompatible with each other.  Compliance is what an organization is required by someone else to do; risk management is something an organization chooses to do, and it chooses how to do it in its interests.

Compliance = what

Compliance causes organizations to follow or obey a set of rules. Rules are a set of explicit regulations governing conduct in a specific activity or sphere and are usually:

  1. designed to ensure something isn’t poorly done, not that it is done well;
  2. one-size-fits-all so that they can be used by as many different types and sizes of organizations as possible;
  3. biased (in the technical sense) because they are usually generated in response to an immediate need and with analysis that informs their development, rarely encompassing any information beyond the experience of the membership of the group the rules are intended to cover, even when the underlying issue is far broader in scope; and
  4. slow to adapt because regulators always move on to the next immediate need, and any “adaptation by design” has to accommodate the least adaptable entities the rules cover.

Rules are always compromises.

Compounding this inherent limitation, complying with rules offers no return other than that an organization is compliant.  So, while failure to comply has risks and costs, compliance activities and expenses rarely exceed what is needed to comply.

Sexual abuse is a risk almost exclusively managed by compliance today.  Whether it is a safe environment approach developed by the Catholic Church, a SafeSport approach, or a safe something else, most organizations looking after minors or vulnerable adults are required to follow a four-control process: background checks, training, policies and procedures designed to prevent abuse, and mandatory reporting.

The problem is that taking a compromised set of standards and only requiring organizations to do enough to comply with them is different from risk management.  It means telling organizations what to do but not why or how.  Applying such an approach to preventing sexual abuse is why minors and vulnerable adults are far less safe from sexual abuse than they should or could be, why trust in youth-serving organizations remains so low, why statutes of limitation are being extended, suspended, and eliminated, and why insurers are withdrawing coverage for sexual abuse.  For minors and vulnerable adults to be as safe from sexual abuse as possible, sexual abuse risk should be managed as well as possible, not by minimally applying compromised standards.

Risk management = why, then how, then what

If management is finding the most effective combination of planning, organizing, staffing, directing, and controlling to achieve an objective, and risk is either preventing and mitigating the consequences of adverse events or the effect of uncertainty on objectives, risk management is finding the most effective combination of planning, organizing, staffing, directing, and controlling to either prevent and mitigate adverse events or minimize the effect of uncertainty on objectives.  In either case, its practice is almost the exact opposite of compliance.

Compliance means doing what you are told; risk management means figuring out how to get what you want amid uncertainty.

Finding ways to achieve core objectives is the focus of enterprise-wide risk management (ERM).  ERM enables organizations to focus on risk in terms of how an underlying hazard or the management of the risks a hazard poses makes it as likely as possible the organization will meet its core objectives.  ERM means an organization:

  1. explores why a risk is important to it, so the organization can develop an objective or set of objectives for managing the risk that is consistent with its core objectives;
  2. develops a plan for how it is going to manage the risk; and
  3. implements, monitors, and adapts detailed activities – it’s what – that ensure its objectives are met.

Though some organizations will still need to be required to do the right things, most, if they have the necessary will act in their own interest.  To any organization looking after minors or vulnerable adults, SAM risk will almost always be one of its most important risks.  Managing SAM risk well with ERM will always support achievement of the organization’s objectives.  Not managing sexual abuse risk well, even if sexual abuse doesn’t occur, will at best make no difference to the achievement of objectives and, at worst, make it impossible for the organization to meet its objectives.  Managing sexual abuse risk with compliance instead of ERM is as damaging to organizations managing sexual abuse risk as it is for minors and vulnerable adults who are less well protected by compliance than they would be by ERM.

Compliance has hitherto had to be used to manage sexual abuse risk because ERM capabilities have been beyond the reach of most organizations that look after minors or vulnerable adults.  The problem is a lack of information. There has been no way:

  1. to identify the most effective ways to perform most sexual abuse risk management activities;
  2. for organizations to customize their sexual abuse risk management systems to accommodate their activities with practices that make the most sense to them; or
  3. to reward organizations for doing more than the minimum to comply with sexual abuse-related rules.

BOKRIM’s purpose is to ensure minors and vulnerable adults are as safe from sexual abuse as possible by:

  1. providing a framework in which any organization can manage sexual abuse risk using ERM;
  2. identifying the most effective ERM-based sexual abuse risk management practices,
  3. showing an organization what its choices are for making sexual abuse risk management decisions that are best for it; and
  4. providing the means for stakeholders to see the resulting quality of the organization’s sexual abuse risk management, to trust what they are seeing, and therefore to be able to reward the organization – as some sexual abuse insurers offering premium discounts have already started to do for BOKRIM users.

By enabling organizations to use ERM to manage sexual abuse risk, BOKRIM transforms sexual abuse risk management from a burdensome necessity into a system that protects minors and vulnerable adults better than compliance approaches, as well as making it more likely organizations managing sexual abuse risk will meet their core objectives.

That risk management is not the same as compliance is a BOKRIM core principle.

Hello, I'm Tim Jaggs

I am a Brit who now lives just outside San Francisco.  Though I have given up arguing for “football,” not “soccer,” I am still trying to decide whether football is better to watch than rugby – it’s a very close call – and if it’s OK to admit I enjoy baseball almost as much as cricket.

I have worked with organizations managing sexual abuse risk for over 15 years. 

I created BOKRIM to help people working with children, who often have little risk management experience, to use risk management best practices to protect children from sexual abuse and protect themselves from the consequences of failing to prevent sexual abuse.

Ten-Step Guide

Read how to take control of your sexual abuse risk in our Ten-Step Guide to implementing risk management best practices.

If you like this article, please share it!

Leave a comment