BOKRIM Thinking

Risk management is not compliance

Rather than manage sexual abuse and misconduct (SAM) as a risk, most organizations currently follow the prescribed rules.  Though rules differ by sector, most organizations follow a four-control set of rules that were first brought together as a cohesive set about twenty years ago.  They were designed to prevent sexual abuse and so protect minors and vulnerable adults.   

The problem is that the rules, on their own, are not enough to prevent sexual abuse, which is rising.  Adult-on-child sexual abuse has doubled in the last ten years.  Child-on-child sexual abuse has increased five times.  

Though the immediate problem is that compliance rules on their own aren’t enough to prevent sexual abuse, the more fundamental problem is that compliance is not risk management

Compliance tells organizations what to do but not how to do it.  Compliance involves checking the box that says something has been done but not how well it has been done.   Compliance doesn’t verify that the expected results are being achieved.  All those activities are risk management activities.

Risk management activities are the activities that protect organizations if, despite following the rules, sexual abuse still happens.  And because the rules aren’t enough to prevent sexual abuse, more children are being abused than could be the case, and more organizations have to deal with the consequences of failing to prevent abuse.

Risk management is the activity that identifies when a set of controls aren’t enough and incubates the additional controls that must be tested to determine what’s needed to succeed.  Risk management ensures organizations engage with risk; that they understand their risks, how most effectively and practically to address them, and make sure they address them in ways that align with their core values and objectives. 

Risk management means organizations develop a culture of risk-aware child protection instead of a check box approach.  Unfortunately, most organizations cannot avoid checking boxes because they are not risk management experts, so they don’t know what they don’t know.

Protecting minors and vulnerable adults from sexual abuse is too important to check with boxes.

That risk management is not the same as compliance is a BOKRIM core principle.


Tim Jaggs, BOKRIM Founder


T: +1 (925) 450 6540

Leave a comment

Like this article?