A well-balanced sexual abuse risk management system ensures children are as well protected from sexual abuse as possible and that you and your organization are also well protected from potentially catastrophic sexual abuse risks. The balance is essential because you and your organization can only be as well protected as you protect children. Working through the process of determining the balance that suits your organization is also what makes the system “your” system, not “a” system, which in turn makes the system much more likely to be effective.
“You” are anyone who works for a minor or vulnerable adult-serving organization, particularly if you are on your Board or are involved in managing sexual abuse risk.
Today, most approaches to preventing sexual abuse are not balanced. Instead, they provide limited child protection, and even if you buy insurance, they don’t protect you or your organization from your most significant sexual abuse risks.
Twenty years ago, when what is currently the most common approach to managing sexual abuse risk – the safe environment – was first developed, we knew much less about sexual abuse risk. As a result, we didn’t realize the safe environment left vast gaps in sexual abuse risk management.
Those gaps matter so much today because reports of sexual abuse have doubled in the last ten years, sexual abuse risks have expanded in scope, and their scale has risen exponentially. For example, this link describes the latest, highest sexual abuse-related jury award of $485,000,000 for one child’s sexual abuse in foster care in 2018. But please don’t imagine that, for example, sexual abuse risks related to trust, reputation, response, or disruption haven’t all risen nearly as fast; they have.
Implementing a well-balanced sexual abuse risk management system is the only way to keep children as safe as possible from sexual abuse and protect yourself and your organization from the most significant sexual abuse risks.
How you develop a well-balanced sexual abuse risk management system
Your ability to develop a well-balanced sexual abuse risk management system depends on how well you understand your organization’s risks. Understanding your risks depends, in turn, on how well you know your organization.
Your organization’s risks are unique because no two organizations have the same combination of minors or vulnerable adults, resources, capabilities, relationships, value propositions, activities, environment, or objectives as yours. Until you understand your organization in detail, you cannot identify its sexual abuse risks.
To understand your organization and identify all its sexual abuse risks, you need the right resources and capabilities.
Appropriate resources also enable you to make well-informed choices about the content and balance of your risk management system. Other resources will allow you to manage the resulting system effectively, demonstrate conscientious child protection over the long term, and constantly improve your system.
Given how fast sexual abuse risk is rising, constant improvement is critical.
1. Understand your Organization
As noted above, every organization is unique. As a result, the foundation of a well-balanced system is understanding in detail how your organization operates.
For example, even if two schools sit side by side, with pupils of similar ages from the same area studying similar subjects and getting similar results, there will still be differences in the details that matter for sexual abuse risk and its management.
The schools are unlikely to have identical value propositions, resources, or activities. They may also aim to maintain different types of relationships between pupils, parents, and school staff. Each school will also have its own set of objectives, which they will strive to achieve in ways that make sense based on the resources, attitudes, and objectives of the people in and attached to each school.
You may not be managing sexual abuse risks at a school, but these details impact the types and levels of sexual abuse risks your organization has.
Ideally, understanding and recording how your organization works is a collaborative process. The team that works on this initial stage of a sexual abuse risk assessment is the ideal team to also work on identifying your risks and then selecting the controls that ensure balance.
2. Explore your Sexual Abuse Risks
Before looking at the better-known sexual abuse risks, it’s important to note that sexual abuse doesn’t need to occur for an organization to be exposed to sexual abuse risks. For example, trust is an emerging risk for every youth or vulnerable adult-serving organization. Sexual abuse trust risk is when an organization isn’t trusted to look after minors or vulnerable adults because it cannot convincingly explain how it backs up its commitment to protecting them.
The best-known sexual abuse risks are often thought of as sets of causes and consequences. Though the generic risks apply to every youth and vulnerable adult serving organization, the details make all the difference to the scale and importance of each risk to each organization.
Prevention – the generic risk is that the controls used to prevent sexual abuse are inadequate, out of date, or are not used as intended, enabling sexual abuse to take place.
Identification – the generic risk is that the controls meant to identify sexual abuse as early as possible fail to operate at all or operate incompletely, leading to a delay in identifying sexual abuse, increasing the damage caused to a victim, or enabling more victims to be abused.
Response – the generic risk is that the controls and processes meant to ensure an appropriate response to any suspicion of sexual abuse fail, leading, at best, to a delayed response and, at worst (for the organization), to allegations of a deliberate cover-up.
What will make each of these risks unique for your organization is the depth of each set of prevention, identification, and response controls you have chosen to implement, how you implemented your choices and their intended capabilities, and how well the controls perform over time.
Reputation – the main generic risks are that as a result of how an organization handled or didn’t handle sexual abuse, they are seen as, for example, lazy, stupid, incompetent, or uncaring, permanently damaging their reputation. Individuals working for the organization can also have their career prospects damaged or even destroyed if their names are tied to the organization’s actions or inactions.
Disruption – the main generic risks are that an organization’s activities are disrupted in the short or long term by a lack of trust, an allegation of sexual abuse, a high-profile abuse incident, or a prolonged legal case. Disruption risk also applies to the people working at an organization where sexual abuse is alleged or occurs because their lives are likely to be upended in the short term and potentially for an extended period.
Legal – the main generic risks are that sexual abuse controls are either not performed or inadequately performed, enabling allegations of negligence to be sustained against an organization. Ignoring the plight of perpetrators, some people who have failed to take appropriate action when abuse was first suspected have faced criminal charges and imprisonment, so the legal risks extend beyond civil liability and organizations.
Financial – the main generic risks are that organizations have short-term revenue disruption because of an allegation of sexual abuse. They also face potentially long-term legal fees and a legal settlement or jury award. In the long term, organizations have also had to deal with a fundamentally different financial reality brought about by the loss of critical assets from a settlement or award, the ongoing drain on their revenues, and higher costs because of damage to their reputation.
What will make each generic risk unique to your organization is the impact each of these risks could have on your ability to fulfill your mission, achieve your objectives, or even perform your day-to-day activities effectively.
3. Access to Appropriate Risk Management Resources and Capabilities
The sexual abuse risk assessment outlined above, without which effective sexual abuse risk management is impossible, requires resources and capabilities the safe environment doesn’t contemplate. So, why is that?
The answer lies in how most youth and vulnerable adult-serving organizations have limited risk management resources. In addition, few people working for youth-serving organizations have risk management best practice experience. For this reason, sets of rules like Safe Parish and SafeSport were created to force every organization to take steps to protect children, which were, in turn, designed to be easy for any organization to implement so every organization covered by the rules could implement them. Ignoring the false assumption that people need to be forced to protect children, the result of this approach is that:
- To ensure any organization can follow the rules, they are limited by design. As a result, they aren’t enough to prevent sexual abuse.
- The rules were not designed to adapt, so they are outdated and far from risk management best practices. As a result, they are an unconvincing way to demonstrate a commitment to child safety.
- Most organizations don’t have the risk management knowledge to appreciate the limitations of the prevention controls or the complete absence of organizational or personal protection. As a result, children are not as safe as they should be, and the people trying to protect children have no protection if they fail to prevent sexual abuse.
Insurance is the only protection most organizations have traditionally added to their required controls. Insurance covers some financial and legal costs associated with sexual abuse. But insurance is becoming harder to obtain, costs much more, and covers much less than it used to.
This “required controls plus insurance” approach worked when it was first introduced, mainly because it significantly improved what went before. But we now know much more about sexual abuse risk, and we know a “required controls plus insurance” approach is no longer adequate for the rapidly rising frequency, scope, and scale of sexual abuse risks.
In the past, you only had one option to address this. Assuming you had enough patience and money, you could engage consultants to help you craft your sexual abuse risk management system. In addition to being an expensive and time-consuming process, these systems were based on a safe environment and so were not designed to adapt. Because few youth-serving organizations have access to the latest sexual abuse risk management thinking or research, the consultants must return every few years to update the systems.
Because the rapidly rising frequency, scope, and scale of sexual abuse risk show no signs of slowing, this approach no longer works. The need to change, and the need to change to a permanent state of constant improvement, is why organizations are beginning to access new sexual abuse risk management resources and capabilities.
- They are beginning to adopt risk management best practices (an approach known as Enterprise Risk Management or ERM). The reasons for choosing ERM include how sexual abuse risk has become too significant to manage any other way than with the best practices, that best practice is also the only way to be convincing when you tell people you are committed to child protection, and ERM includes continuous improvement by design.
- They are also finding guides to walk them through adopting ERM systems and accessing data sources that give them choices about how to improve their systems continuously.
- They are also accessing tools that enable them to demonstrate conscientious best practice sexual abuse risk management over the long term. This is the most valuable outcome you can produce to manage the most significant trust, disruption, reputation, legal, and financial sexual abuse risks.
4. Make Well-Informed Choices and Decisions
For the sake of this article, choices refer to long-term or strategic issues about the content of your system, whereas decisions refer to how you decide to implement your choices.
If you decide to keep using traditional sexual abuse risk management, your only choice is whether and, if yes, how to supplement the version of the safe environment child protection scheme your organization must follow. Many organizations choose not to supplement, so their decisions are only about implementing each required control.
Organizations that supplement do it in one of two general ways. The more common approach currently is to add additional controls to those the organization is already required to implement. For example, they add reference checks to criminal background checks. This bottom-up approach ensures organizations remain compliant easily, improves child protection, and marginally reduces organization and personal legal risk. However, this approach rarely improves organizational or individual protection fundamentally.
Fundamentally improving protection requires adopting a top-down approach. A top-down approach is an entirely new scheme for sexual abuse risk management that enables a balanced sexual abuse risk management system that is incidentally, if deliberately, compliant with a safe environment. The objective of the top-down approach is no longer to be compliant but to establish the most effective protection possible.
As noted above, because organizations are increasingly realizing the shortcomings of the safe environment, they are accessing new top-down resources and capabilities. These new resources and capabilities bring with them significantly more choices and decisions. In brief, however, the new choices and decisions fall into three main categories, guided by the risk management best practice process:
- A Sexual Abuse Risk Assessment – ensures you can understand your organization in detail. Hence, you also understand how minors and vulnerable adults may be at risk of sexual abuse. You also explore all your organization’s sexual abuse risks (the details, not the generic versions outlined above) and your risks – whether you are a director, officer, or employee.
- Sexual Abuse System Customization – where the core choices are which controls are appropriate for all the ways minors and vulnerable adults are potentially at risk of abuse, as well as for your organization’s and your personal risks. Your decisions are about how you implement the controls you choose to implement. This is where the critical balance-related decisions occur, ensuring all your most crucial sexual abuse risks are addressed based on their importance to you and your organization. For example, though all organizations consider prevention, identification, and response critical, each organization will have its own ideas about, for example, how much reputation or disruption risk it, its board, and its employees are willing to accept.
- Sexual Abuse System Management – where the core activities are implementing the controls, plans, and systematic processes that ensure your choices and decisions remain effective and appropriate. They also ensure you, your organization, its sexual abuse risks, and its sexual abuse risk management system stay in sync with each other.
The traditional safe environment requires organizations to perform none of these steps. The key balance-related steps are, therefore, completely skipped. The safe environment focuses only on implementing its three core controls. The result is a string of processes (not a system) with no balance because none of the most challenging sexual abuse risks are addressed by the safe environment, even when insurance is added.
So, how would you balance a sexual abuse risk management system so it suits your organization? Assume you understood your organization, knew what your most significant sexual abuse risks were, had equipped yourself with the tools to make well-informed choices and decisions, and knew what choices and decisions were available to you; how would you ensure you avoided leaving critical, potentially catastrophic sexual abuse risks unmanaged?
There are three primary methods, which differ based on the resources and capabilities available to you:
- Level matching – the most straightforward approach – involves ensuring that all the risks identified in the risk assessment have similar controls matched to them, limited only by your resource constraints. This approach acknowledges that, as much as some risks are scarier than others, it’s currently impossible to distinguish between them in frequency or severity terms because of inadequate data. As a result, level matching is an appropriate approach.
- Weighted matching – the ideal approach – involves allocating controls to achieve something of a level weighting but ensures the risks that are more important to you receive more resources, depending on their importance.
- Prioritized matching – the most common, build-it-as-you-go approach – involves allocating resources based exclusively on how significant a risk is to you. This approach is most commonly used when resources are limited; you cannot afford to address all your risks immediately, so you implement controls and processes when resources become available.
You can see a comprehensive set of controls forming the basis of any of the matching approaches here.
However you balance your sexual abuse risk management system, don’t bypass the critical balancing step. It’s where your sexual abuse risk management system becomes “your” system. If you miss it, you are dealing with a much more generic approach, which leads to lower engagement with sexual abuse risk and reduces the system’s effectiveness. Maybe, more importantly, you or your organization may have no protection from one or more potentially catastrophic sexual abuse risks.
Contact us if you would like to learn more about how we help organizations achieve a well-balanced sexual abuse risk management system.