BOKRIM Thinking

What is a safe environment, and how safe should it be?

A “safe environment” is one of those frustrating terms that everyone thinks they understand but, ask five people what they think it means, and you will get five answers.  This matters because a “safe environment” has been the cornerstone of SAM risk management for twenty years. 

For some, a safe environment is simply a secure physical environment.  For others, it is an aspirational objective, acknowledging that absolute safety is unachievable though admirable.  For yet others, it is an extremely broad concept of something along the lines of “safety everywhere,” and for yet others still, the formal definition works: “the state where conditions leading to physical, psychological, or material harm from sexual abuse are controlled.” 

The problem with multiple understandings of any term, particularly when the understandings differ so much, is that the term ends up being meaningless.  More practically, however, none of the descriptions is of any help to someone who has to deliver whatever a safe environment is. 

For example, three key pieces of information are missing from the formal definition – and are necessary to make any sense of what a “safe environment” is.  The missing information is what the organization aiming to establish a safe environment:

  1. means by its “environment”;
  2. understands are the conditions that need to be controlled; and
  3. considers “safe enough” – as in how well controlled are those conditions?

These elements are foundational to effective SAM risk management and, while compliance-based approaches to managing SAM risk offer little or no guidance, risk management best practice ensures an organization can readily understand and objectively manage each of them.

What an organization means by its environment

In risk management terms, what an organization means by its “environment” depends on three elements:

  1. What is the scope of the organization whose environment is being considered?  Risk management best practice ensures an organization is explicit about the scope of the organization that is covered by a risk management system.  In an ever-more interconnected world, understanding where one organization ends and another takes over is essential to understanding who is responsible (in practical terms) for keeping children safe from SAM.  In compliance-based approaches to SAM risk management, there is no requirement for the organization’s scope to be considered.
  2. Why does the organization’s environment need considering?  Risk management best practice ensures an organization carefully considers all aspects of its environment because different aspects of an organization’s environment – for example, how it uses technology or what the statutes of limitation are in its State – will have different impacts on both the likelihood and the potential consequences of SAM.  In many current compliance-based approaches to SAM risk management, there is no requirement for an organization to consider its environment at all; not even its physical security.
  3. How far beyond their physical space do they intend the term “environment” to go in terms of where is safe?  Risk management best practice ensures an organization carefully considers its internal, near, and far environments (or internal, micro, or macro – or any one of the other ways of describing ever-less directly influential factors).  If an organization is going to create a safe environment, it must think far more broadly than the direct physical space it normally occupies because, apart from anything else, this should be the best-protected space and, therefore, the least likely place for SAM to take place.  

How an organization understands which conditions need to be controlled

The conditions that most need to be controlled are those that are most likely to be able to:

  1. prevent the kinds of SAM an organization’s minors and vulnerable adults are exposed to;
  2. identify SAM as early as possible, and ideally, identify activity or behavior that might be indicative of SAM before SAM happens;
  3. respond appropriately to any SAM-related incidents; and
  4. mitigate the damage or other consequences of any SAM the organization cannot prevent.

Risk management best practice enables an organization to identify the conditions that need prioritizing based on its environment or context.  It also helps the organization identify the most effective controls in each of SAM prevention, identification, response, and mitigation and enables it to identify how most effectively to implement each control and verify they are working as intended. 

Current compliance-based SAM risk management doesn’t require organizations to look at the conditions that might need controlling at all.  Compliance eliminates this step by simply requiring four controls that focus almost exclusively on prevention, were developed when we knew far less about SAM than we know now (for example, long before child-on-child abuse became so prevalent), and provides limited (and sometimes no) guidance on how the four controls might be implemented.

What does the organization think is "safe enough"?

When an organization hasn’t considered its environment, hasn’t considered what its environment means for its SAM risk, and hasn’t considered the conditions its environment impacts most in terms of the likelihood or potential consequences of SAM, it is no wonder most organizations believe implementing the four controls required by compliance makes their environment “safe enough.”  

This is a gross dis-service to every child and to every organization looking to help and protect minors and vulnerable adults.  Every person we have worked with wants to protect minors and vulnerable adults as well as possible from SAM.  But they are not risk management experts, so they must rely on compliance to ensure that happens. 

And compliance lets them down.  Not deliberately, of course; compliance is essential but necessarily limited.  Compliance has to walk an impossible line between imposing too much on those with the least resources and capabilities and not imposing enough for those who expect compliance to be infallible.  Regulators are always and forever doing too much and too little.

The unintended consequence of a compliance-only approach to SAM risk management is that safe environments built on minimum standards will always be less safe than they could or should be.  Organizations that want to protect children as well as possible must therefore supplement compliance.

Why and how we think in terms of "as safe as possible"

We aim to ensure all children are as well protected from SAM as possible.  We enable organizations to supplement their compliance SAM risk management to achieve this.  

In thinking about what “as safe as possible” means, we take a practical approach.  We recognize that organizations are exposed to varying types and levels of SAM risk and have varying types and levels of risk management resources.  Consequently, SAM risk and the ability to manage it well, and so keep children safe – and even, what “as safe as possible” means – varies widely.

Because of its unique set of attributes, risk management best practice is the only way to accommodate this variability, and enable any organization to manage SAM risk “as well as possible”, to keep children “as safe as possible.” 

Where compliance underpins a basic level of protection, a risk management best practice framework enables a SAM risk manager to, first, understand their organization’s SAM risks. 

Second, the framework enables a SAM risk manager to customize a SAM risk management system to their organization’s SAM risks and risk management resources. 

BOKRIM provides the framework and develops and shares SAM risk and risk management knowledge, so every organization using BOKRIM has access to the key resource of SAM risk management – SAM risk knowledge.  This enables every SAM risk manager to manage their organization’s SAM risk well; choose appropriate controls and activities, implement them well, monitor and record them effectively, and adapt them when needed. 

Last, BOKRIM enables an organization (and the people looking at an organization from the outside) to see they are managing their SAM risk well and delivering their “as safe as possible.”  Their “as safe as possible” depends on how much SAM risk they have, and how they have customized their SAM risk management system. 

That is why BOKRIM is committed to measuring SAM risk, SAM risk management performance, and constantly refining our SAM risk management rating. 

Please contact us if you would like to learn more about how we help organizations use risk management best practices to protect children “as well as possible.”


Tim Jaggs, BOKRIM Founder


T: +1 (925) 450 6540

Leave a comment

Like this article?