The current approach to sexual abuse and misconduct (SAM) risk management was created in response to the initial abuse crisis of the late 90s and early 00s. At that time, most risk management was still ‘traditional’; risk managers focused on trying to prevent negative events and then made plans to try to mitigate the consequences of the events they couldn’t prevent.
Based on this prevent and mitigate (P&M) model, SAM risk management, and in particular the concept of the ‘safe environment’, was designed to prevent predatory abusers, then perceived to be the main threat, from gaining access to minors or vulnerable adults. Offers of counseling, assertive defense strategies, and insurance for those who could find it formed the mitigation arm of the approach.
Since P&M strategies were first adopted, however, SAM risk has evolved.
For example:
- We now know predatory abusers are relatively far less common than other equally dangerous types of abusers;
- Across the US, statutes of limitation for civil SAM suits have been suspended, extended, and even eliminated;
- Where $250,000 was a high SAM settlement 15 years ago, $25,000,000 is a high settlement now and $40,000,000 is the current high-water mark;
- Organizations seek bankruptcy protection because of SAM at a far higher rate today than was the case 20 years ago;
- Because of the way some institutions and organizations are perceived to have handled SAM risk in the past, and how some organizations are found to be handling SAM risk today, no organization can easily convince its stakeholders that it is managing SAM risk well; the absence of evidence of SAM is no longer enough to prove the absence of SAM.
As a result of all the above, SAM risk has changed into a broader-based, more severe risk, with a much longer shelf-life. But it has also changed so that, in addition to the risk that a minor or vulnerable adult might be abused, organizations now also face the risk that, where they are found not to have managed SAM risk well, whether SAM occurs or not, their credibility can become so impaired, they can no longer perform their core mission.
Because SAM risk is not the only risk to have undergone these kinds of changes, risk management best practices have also evolved. Today, risk management best practice, in the form of enterprise-wide risk management (ERM), seeks to positively influence all the risks that might impact the achievement of an organization’s core objectives.
ERM is successful because it just works better than ‘traditional’ P&M risk management. ‘Better’ in this case means many things. It includes how organizations using ERM achieve their core objectives more often, are more trusted by their stakeholders, adapt better to change, prevent more negative events, mitigate negative events more effectively, have lower costs, and are more highly valued than organizations not using ERM.
These are objectives any organization managing SAM risk would dearly like for themselves but which they cannot currently achieve because most are still using out-dated P&M risk management strategies. They are managing SAM risk as well as they are able but not as well as they would like to be able.
The challenge for many organizations is to find a middle ground between P&M and ERM. P&M is both too narrowly focused on negative events but also lacks immediacy because it is difficult to take ownership of preventing an inherently rare event like SAM. ERM can be up-lifting but enthusiasm can be difficult to sustain if the organization’s objectives are too far removed from the day-to-day concerns of the SAM risk manager.
The middle ground is to provide the tools that enable credible metrics that show how well-protected minors and vulnerable adults are and how well a SAM risk manager has minimized the total cost of the organization’s SAM risk.
These objectives are immediate, deeply engaging, and in most cases, directly support the achievement of the organization’s core objectives.
