The conventional wisdom is that large organizations tend to manage risk far, far better than small organizations.
Though there is good reason for this conventional wisdom, risks like sexual abuse and misconduct (SAM) are too important for small organizations to not manage well.
Why the conventional wisdom has made sense until now
The larger and more sophisticated an organization, the better it can manage risk because it has the data, resources, and expertise to manage risk well. But the main reason larger organizations use risk management best practices as often as possible, despite the resource demands, is the results.
Research shows organizations using risk management best practices have fewer and less costly negative events than those using less sophisticated risk management. They are more trusted by their stakeholders. They are also more highly valued by stockholders – where relevant – because they meet expectations and objectives more often.
On the other hand, the smaller an organization, the less data, time, and resources they have, so, as much as they would like to benefit from risk management best practices, they too often lack the resources to use them.
Because of this conventional wisdom, regulations often force smaller organizations to manage important risks and tell them how to manage them. As a result, few organizations use risk management best practices because of how many large organizations there are compared to small ones. Rather, and because most regulatory standards are minimum standards so everyone can use them, relatively few organizations use more than minimum standards to manage important risks.
This matters because, as is often the case, there is a chasm between minimum standards and risk management best practices. This will matter more in a world where change, volatility, and uncertainty are all rising. But with some risks, it already really matters now.
Why sexual abuse and misconduct (SAM) risk management conventional wisdom needs to change
Sexual abuse and misconduct (SAM) risk management is one such risk.
The core SAM risk is that a minor or vulnerable adult is sexually abused. Every youth-serving organization has at least some SAM risk. SAM risk is governed by regulation or compliance. Almost every youth-serving organization follows a four-part SAM risk management regime based on background checks, training in SAM, policies around one-to-one interactions, and mandatory reporting.
These are important practices and they contribute to child safety but sexual abuse and the cost of SAM risk are rising. Insurers are withdrawing SAM coverage. This regime isn’t working. The standards, which haven’t fundamentally changed in twenty years, are not enough on their own to protect children or manage SAM risk.
SAM risk management needs to change; for that to happen, the conventional wisdom must change.
Ideally, for effective child safety, every youth-serving organization would manage SAM risk using risk management best practices, not minimum regulatory standards. It is because the Mormons, the Southern Baptists, the Olympic movement, and other sports apply a regulatory approach that promotes minimum standards that they find themselves in their current difficulties. The same applies to the Boy Scouts, the Catholic Church, and higher education.
It isn’t that these groups or sectors don’t want to protect children as well as possible; on the contrary, every single member abhors the very idea of any child being sexually abused. But they are all trapped by the conventional wisdom of telling their memberships what to do about SAM risk and how to do it. As a result, they apply minimum standards and wonder why sexual abuse and the cost of SAM risk keep rising.
The good news is that, based on what we are learning, the conventional wisdom about the ability of small organizations to cross the chasm and use risk management best practices for SAM risk needs to be re-thought.
We are learning that when we provide even a tiny organization with the “know what” and “know-how” of risk management best practices for SAM risk, and the tools to use them, they rapidly and materially move beyond using the minimum required standards. They embrace best practices not because they know SAM risk is so important; they’ve always known that. Rather, they discover how limited regulatory standards are and how much better their SAM risk management can relatively easily be, even for a small organization with no previous risk management experience.
We are still learning, but if you want to hear more about how we are helping even the smallest organizations manage SAM risk like experts, please contact us.