Every sexual abuse and misconduct (SAM) risk manager we have met has, without exception, been relentless in their efforts to manage SAM risk as well as their resources will allow. SAM risk isn’t like many other risks; people managing SAM risk really want to succeed.
Despite their best efforts, however, we keep seeing incidents of SAM and having to deal with SAM insurance claims. After a while, anyone would have to start asking: “if so much effort goes into managing SAM risk, why does it keep failing?”
No risk is completely preventable but, in the nearly 15 years we have worked with SAM risk, we have come to think that SAM risk is more than just difficult to manage well, though it is. We suspect SAM risk is currently practically impossible to manage objectively well for four reasons.
The four reasons are outlined below. Because COVID-19 will have reduced many organization’s risk-bearing and risk-managing capacity, sometimes materially, it is more important than ever that these 4 issues be addressed.
1. Risk Management is a system
A system is a group or combination of things forming a complex and unitary whole. When a system is optimized, its overall effectiveness is always greater, and sometimes far greater, than the sum of its parts.
Currently, risk management is more often managed as a process than a system. A process is a sequence of activities intended to produce a particular result. Processes are parts of systems. Systems cannot work well without effective processes but getting individual processes working well is not the same as optimizing the entire system.
In our experience, too few SAM risk management systems are managed as such. This means a SAM risk management system cannot be optimized and so SAM risk cannot be managed as well as it could and should be.
2. Systems are defined by the value they create
The value of a well optimized risk management system is that an organization is, using the example of SAM risk, confident minors and vulnerable adults in its care are as well protected as they can be. Stakeholders can also trust these organizations when they say this is so.
Currently, the desired outcome of too many risk management processes (and systems) is that nothing bad should happen. The problem when a risk manager is dealing with an inherently rare event like SAM is that nothing happening is what should happen all the time and does happen most of the time. ‘Nothing happening’ is, therefore, worthless feedback in establishing the effectiveness of the system and so conveys little or no value.
In fact, the contrary can be true. Absence of evidence of the ‘bad thing’ doesn’t mean the system is working; it may only mean the bad thing hasn’t tested the system. Worse, evidence of absence can be a false negative because the system isn’t effective enough to identify the ‘bad thing’. And because false negatives happen too often with SAM risk, and are too often identified only after it is too late to do anything about them, stakeholders have become inured to claims that ‘nothing bad is happening means everything is good’.
SAM risk management involves too much effort and investment to return so little value. An optimized SAM risk management system should deliver credible confidence and reliable trust in the quality of an organization’s SAM risk management.
3. Any form of management requires reliable information
With reliable, practical, and contextually relevant information, and a system to make sense of the information, any manager can be confident their decisions are well-informed. Given SAM risk managers usually have other responsibilities ahead of risk management like HR, legal, or finance, that they spend less than 10% of their time managing any risk, and they rarely have formal risk management training, high-quality information and a system to make sense of the information would be extremely valuable to a SAM risk manager.
Currently however, SAM risk managers have functionally no SAM risk or SAM risk management information. This is because the SAM risk ecosystem, like almost every other risk ecosystem, is silo based. This means:
- no one in the SAM risk ecosystem currently has complete, accurate or timely risk or risk management information; so
- risk management practices have not yet been accurately measured; and so
- best practices are subjective, and many are inevitably flawed.
In recent research we conducted, we found that the range of practices adopted by organizations supposedly managing SAM risk according to the same rules can vary widely. Some practices were strong, but others were weak or non-existent.
Until all the key types of SAM risk and risk management information are collected together and analyzed as a whole and in context, practices will continue to vary widely, and best practices will remain subjective and flawed.
4. SAM risk has changed more than SAM risk management
10 years ago, statutes of limitation were rarely longer than majority plus 5 years. In some States now, statutes of limitation are majority plus 20 or more years; in a few places they are effectively – and sometimes in fact – non-existent. In addition, settlement values have increased considerably. 10 years ago, a $1m settlement was a large settlement; the largest single victim settlement recently was $40m. SAM risk is now an existential risk to almost any organization.
SAM risk management has been adapted considerably since it first emerged 30 years ago, but it hasn’t changed as much in the last 10 years as the underlying risk. For example:
- The original assumptions to managing SAM risk were that the biggest threats were pedophiles and ephebophiles. A review of SAM claims and recent research makes clear this assumption grossly oversimplifies a far more complex risk environment.
- As noted above, SAM risk is still most commonly managed as a process intended to create safe environments; continued failure to prevent, identify, or mitigate SAM risk suggests too many environments are still not as safe as they should be. And the recent and dramatic increase in the use of online communications tools is still being absorbed into SAM risk management thinking.
Like most risks, SAM risk is dynamic. It may be less dynamic than some other risks, like cyber for example, but the SAM risk environment, SAM risk itself, and organizations managing SAM risk all change often enough that SAM risk must be managed in a system that includes the capacity to identify the need for, and enables appropriate adaptation. Without adaptation, SAM risk cannot be as effective as we all need it to be, making it not just difficult to do well, but practically impossible…
It is uncomfortable to acknowledge that some people find minors and vulnerable adults sexually attractive. It is only marginally less uncomfortable to acknowledge that anyone is capable of making a bad decision. Both mean SAM will likely never be eliminated altogether.
Objectively good SAM risk management in every organization looking after minors and vulnerable adults would lead to much less SAM and much less damage from the SAM that cannot be prevented. We think objectively good SAM risk management, and therefore confidence and trust in the quality of an organization’s SAM risk management are possible if these four issues are addressed.
Please let us know if you agree with these four reasons and if you think we should add more. We are designing a new service to address these issues and would appreciate the feedback.