Yesterday, Child USA issued a press release/email announcing that their report into Catholic Diocesan SAM risk management practices had been published by the Journal of Child Sex Abuse. It is a good report and deserves wider circulation but having now had time since the original release (October 2020) to reflect, it is clearer the report’s conclusion is both accurate and misleading at the same time.
The conclusion was that the current policies of the Catholic Church are inadequate to protect children from abuse. This conclusion is accurate but also misleading because almost every organization managing SAM risk uses broadly the same policies as the Catholic Church.
In fact, the underpinnings of the SAM risk management programs of almost every sector, institution, and organization are based on the safe environment programs first developed by the Church. The underpinnings include policies and procedures, background checks, training, and mandatory reporting. As far as our analysis has so far identified, almost every organization bases their SAM risk management around the same four pillars and better than 90% go no further, though risk management best practice suggests they should.
The Child USA analysis goes on to point out that there is significant variability of approach between different Arch/Dioceses. Our analysis fully supports this observation. But variability on its own isn’t a problem; the opposite in fact. It is a fundamental requirement of effective risk management systems that they are customized to the organizations using them.
So, for example, every Diocese must perform background checks but too many studies suggest fewer than 10% of abusers ever come into contact with law enforcement. Also, for some roles, relatively few background checks done once will suffice; for other roles, more initial checks and frequent refreshers are required. Background checks should vary and how they vary should be risk-based.
The problem our analysis has identified isn’t with variety as such but in how different organizations determine which approaches to use. The all too often missing piece is deliberation; how should each of the key SAM risk controls be performed, when, by whom, and how often should they be monitored and reviewed. It is lack of deliberation that needs addressing and it applies far more widely than the Catholic Church.
So, regrettably, by focusing only on the Catholic Church – and heaven knows, there is plenty to see there – Child USA misses the opportunity to make the bigger and more important point that it is the four-pillar approach of most current SAM risk management regimes that is inadequate at protecting minors and vulnerable adults from sexual abuse. For example, almost any insider – someone who works with or for an organization looking after minors or vulnerable adults – who has committed abuse in the last ten years has been background checked and trained not to abuse. Everyone has been provided with policies and procedures and yet, consistently, people fail or delay notifying abuse, regardless of the obviousness of the red flags.
It is because the four pillars are failing so broadly that the value of SAM risk has soared – by 10,000% – over the last 10 years. Their failure is why insurers are withdrawing SAM capacity, restricting coverage, and increasing prices. Their failure is also the core reason trust in organizations managing SAM risk is at an all-time low. Most important, changes in what we know about SAM and SAM risk mean the four pillars are no longer adequate to protect minors and vulnerable adults from sexual abuse.
What’s to be done? We think three changes are required:
You cannot manage what you can’t measure, just as you cannot improve what you cannot measure. Given we know the four pillars are not working, we need to find controls/behaviors/activities/systems that do. Currently, SAM risk and risk management measurement is functionally non-existent. SAM risk and its management – in all its forms – need to be measured consistently and constantly for these new approaches to be uncovered.
If you want people to behave in a certain way, you can either force them, for example through regulation, or you can motivate them by ensuring they want to do what you want them to do because it is in their interest. The four pillars are part of a regulatory regime where the main objective for often resource-constrained organizations is to comply at the lowest possible cost. This makes for very poor risk management. Rewards for good SAM risk management need to become possible.
Change happens and is accelerating. Failure to adapt the four-pillar approach, which was cutting edge when it was developed, is arguably the main reason minors and vulnerable adults are less well protected now than they should or could be. As change accelerates, appropriate adaptation will require a risk management incubation capability; the ability to constantly improve SAM risk management as SAM, SAM risk, SAM risk management, organizations managing SAM risk, and all the environments they all live in change.
What do you think of these proposed changes? Let us know in the comments below.