BOKRIM Thinking

Risk management is not compliance

Rather than manage sexual abuse and misconduct (SAM) as a risk, many organizations are currently required to follow rules to protect minors and vulnerable adults.   The problem is that compliance is not risk management

Compliance rules tell organizations what to do but not how to do it.  Compliance involves checking the box that says something has been done but not how well it should be or has been done. 

Risk management means an organization decides why it wants to do something and how best to achieve its objective.  It then means customizing activities to the organization and its risk, adapting appropriately to change, and monitoring performance to verify the system is achieving its objectives.

Protecting minors and vulnerable adults is too important to check with boxes.

That risk management is not the same as compliance is a BOKRIM core principle.

Like this article?

Leave a comment