Risk management is not compliance

Rather than manage sexual abuse and misconduct (SAM) as a risk, most organizations currently follow the prescribed rules.  Though rules differ by sector, most organizations follow a four-control set of rules that were first brought together as a cohesive set about twenty years ago.  They were designed to prevent sexual abuse and so protect minors and vulnerable adults.   

The problem is that the rules, on their own, are not enough to prevent sexual abuse, which is rising.  Adult-on-child sexual abuse has doubled in the last ten years.  Child-on-child sexual abuse has increased five times.  

Though the immediate problem is that compliance rules on their own aren’t enough to prevent sexual abuse, the more fundamental problem is that compliance is not risk management

Compliance tells organizations what to do but not how to do it.  Compliance involves checking the box that says something has been done but not how well it has been done.   Compliance doesn’t verify that the expected results are being achieved.  All those activities are risk management activities.

Risk management activities are the activities that protect organizations if, despite following the rules, sexual abuse still happens.  And because the rules aren’t enough to prevent sexual abuse, more children are being abused than could be the case, and more organizations have to deal with the consequences of failing to prevent abuse.

Risk management is the activity that identifies when a set of controls aren’t enough and incubates the additional controls that must be tested to determine what’s needed to succeed.  Risk management ensures organizations engage with risk; that they understand their risks, how most effectively and practically to address them, and make sure they address them in ways that align with their core values and objectives. 

Risk management means organizations develop a culture of risk-aware child protection instead of a check box approach.  Unfortunately, most organizations cannot avoid checking boxes because they are not risk management experts, so they don’t know what they don’t know.

Protecting minors and vulnerable adults from sexual abuse is too important to check with boxes.

That risk management is not the same as compliance is a BOKRIM core principle.

Creating and Maintaining a Sexual Abuse Risk-Aware Culture: A Free Ten-Step Guide

Developing a sexual abuse risk-aware culture is the single most valuable thing you can do to protect the children and vulnerable adults in your care from sexual abuse.

Our free Ten-Step Guide is a practical introduction to the system that enables any organization to establish and maintain a sexual abuse risk-aware culture. 

Leave a comment

If you like this article, please share it!

Post Author

Tim Jaggs

I am a Brit who now lives just outside San Francisco.  Though I have given up arguing for “football,” not “soccer,” I am still trying to decide whether football is better to watch than rugby – it’s a very close call – and if it’s OK to admit I enjoy baseball almost as much as cricket.

I have worked with organizations managing sexual abuse risk for over 15 years. 

I created BOKRIM to help people working with children, who often have little risk management experience, to use risk management best practices to protect children from sexual abuse and protect themselves from the consequences of failing to prevent sexual abuse.