Sexual abuse and misconduct (SAM) risk has an unusual combination of characteristics that mean that, while everyone wants to manage it well and it must be managed well, it is difficult to manage well.   The consequence is that there is almost always a gap between how well a SAM Risk Manager wants to manage SAM risk and how well they actually manage SAM risk.  

For example, if you ask any room full of people how well children should be protected from sexual abuse, everyone will agree they should be as well protected as possible.  Yet, when you look at the practices organizations use to protect children, 99% of organizations (according to our data) use less – and often much less – than the best practices for preventing events like sexual abuse.  

So, why is this?

Part of the problem is that sexual abuse is most often addressed as a compliance issue, not a risk to be managed; the wrong solution is applied to the problem of how to protect children well.  The problem isn’t intent; regulators want children to be as well protected as anyone else, so they insist on the standards everyone must use.  

In practice, however, this means most organizations comply with the requirements. However, because compliance requirements must be no more sophisticated than the least sophisticated organization can use, they are minimum standards, not best practices.  To comply with most compliance frameworks, organizations only have to apply four controls, and, bearing in mind sexual abuse is increasing, these controls are not enough, on their own, to prevent SAM.   

Compliance is the wrong, or at least an incomplete, solution to the problem of protecting children as well as possible because so few people working for youth-serving organizations are abuse prevention, child protection, or risk management experts.  This means they don’t realize how limited compliance controls are compared to what’s really needed to protect children, so they don’t supplement the compliance controls because they don’t know they need to.  

So, the first reason sexual abuse risk is difficult to manage is because it isn’t managed as a risk by most people.  But if compliance is the wrong solution, what is the right one?  

To develop a solution, you must first understand the problem…  Sexual abuse has a set of inherent characteristics that make it essential to manage it as a risk, not a compliance issue. Some of those characteristics are that:

1. Sexual abuse is a risk, whether you define risk as “the potential for loss” or “the effect of uncertainty on objectives.”  Though the same risk can impact countless organizations, risks impact organizations in specific ways, so to manage any risk well, the managers of an organization must manage how each risk affects their organization.  
2. Organizations that look after children and vulnerable adults cannot avoid SAM risk.  They would have to stop looking after children and vulnerable adults to do so.
3. There will always be some adults who find minors or vulnerable adults sexually attractive, too many adults are capable of making bad decisions, and children don’t understand sexual abuse – whether as victims or perpetrators.  As a result, SAM will never be entirely preventable.
4. SAM causes its victims terrible harm. 
5. The financial, operational, and reputation damage caused to organizations that fail to prevent SAM threatens their viability.

Recent developments in the SAM risk environment have made effective SAM risk management even more critical.

• Retrospective statute of limitation changes in many States have allowed victims to make abuse claims that were previously time-barred.  How organizations deal with these changes impacts how likely and how well they will achieve their objectives in the future.
• Prospective changes to statutes of limitation mean victims will be able to seek redress in the future for much longer after they are abused.   Higher expectations for SAM risk management and longer timelines mean the ability to demonstrate sound SAM risk management now and in the future will be almost as important as managing SAM risk well.
• The consequences of poor SAM risk management have become more significant as the costs of failing to prevent SAM have grown.  Where NDAs covered most SAM situations ten years ago, reputations today are destroyed by even hints of SAM.  The disruption to an organization and the people working for it caused by SAM investigations and claims can be significant and long-lasting.  And, where $250,000 was considered a big SAM settlement 15 years ago, $25,000,000 is now a big settlement, with the largest known being $40,000,000.
• SAM risk is no longer just the risk that an organization fails to prevent SAM.  For example, SAM risk can also crystallize when trust in an organization is impaired because they are perceived not to be managing SAM risk well.  The opposite is also true.

These developments mean SAM risk is more likely to crystallize and threaten an organization’s future if it does.  So, how well can most organizations deal with the increased likelihood of SAM and the costs of failing to prevent it?  In a recent survey, we found that:

• Very few SAM risk managers (less than 5%) manage risk as their primary responsibility.  Instead, almost all SAM risk managers have different primary responsibilities, like legal or finance.
• Few SAM risk managers can spend more than 10% of their time managing risk.  Risk management is just another thing on their plate.
• Few SAM risk managers have formal risk management training.  Instead, SAM risk managers learn risk management ‘on the job.’
• Though there is plenty of information – far too much, in fact – on SAM risk, there is very little reliable, practical, or contextual information to guide well-informed SAM risk management decision-making.
• SAM risk management practices have never been measured for effectiveness, and opinions on approaches vary wildly.  Even entities following the same rules use different controls in widely different ways.

So, while every SAM risk manager wants to manage SAM risk well, they have to manage an unavoidable, unpreventable, and potentially existential risk in the face of a deteriorating risk environment, increasing stakeholder expectations, multiple priorities, limited time, and too little reliable information.   

And then there are our cognitive biases.  

We all have them.  They are the experience, impulses, gut feelings, and rules of thumb we use when making decisions.  They aren’t a fault but a feature; they protected us from saber-tooth tigers.  But when risk management (important decisions about uncertain future events) meets too little reliable information about a subject (sexual abuse of children) no one wants to think about, cognitive biases fill information gaps in our decisions and how we make them.  The problem is that cognitive biases vary widely, impact different people differently, and are reliably unreliable at supporting effective decision-making.  As a result, the impact of cognitive biases on risk management can be profound.

If only every SAM Risk Manager could overcome the challenges that make SAM risk management so difficult…  To be successful, they would 

1. understand that, to protect children as well as possible, they must manage sexual abuse as a risk and not a compliance issue by supplementing compliance with risk management best practices and;
2. appreciate how important it is to address the true characteristics of sexual abuse in the context of their organization, its vulnerabilities to SAM risk, and given its resources and objectives;  
3. be able to work through all the steps of risk management best practice and access the practical information they need to make good decisions along the way; and
4. know how much SAM risk they were managing, how well they are managing it, and when and how to adapt to change.  

For these SAM Risk Managers, there would be no gap between how well they want to protect children from sexual abuse and how well they protect them.  They would also meet everyone else’s expectations for safeguarding children, and as those expectations evolved, they would adapt. 

SAM risk will always be challenging, but it is possible to manage it well.  Please contact us for more information on how we help organizations manage sexual abuse risk well.

Do you know how much SAM risk you have?  We can estimate your potential SAM risk if you can answer five quick questions.