Learning Risk Management and Compliance From the Cannabis Industry

If you work with products that are not criminalized by the federal government, you may not think you have anything to learn from companies in the cannabis and hemp industry.

But, as these entrepreneurs navigate unique security problems and a patchwork of intense state-by-state regulations, they are participating in a grand business experiment that illustrates the value of innovation and discipline when it comes to risk management and compliance.

Some of these strategies may be familiar to those in other highly regulated, high-stake industries such as electronics, jewelry and controlled pharmaceuticals. Similarly, cannabis operators face tumultuous supply chains, products with short shelf lives, trade secret protections, cybercrimes and keeping up with anti-money laundering and “know your customer” banking requirements.

Cannabis cultivators, manufacturers, distributors and retailers deal with a high-dollar product that invites theft and limited banking options that force most transactions to occur in cash, which leaves them at high risk for targeted crimes. Cannabis businesses suffered a string of mass break-ins last year, with deadly robberies occurring in 2021, prompting many dispensary staff to carry weapons to defend themselves.

Beyond the security concerns are stringent regulations that can lead to expensive penalties, business shutdowns or even criminal prosecution if not followed closely. For example, states allowing the sale of cannabis require such businesses to hold licenses, and any transfer between licensees requires a manifest and state reporting. Some states even require a third party to transport the product. Retailers are responsible for enforcing state limits, and when they circumvent these regulations, executives can end up in jail.

Here are some of the risks and methods cannabis operators are using to mitigate them. Underlying all of these are standard operating procedures (SOPs) specific to the cannabis industry.

Theft of cash and high-value assets

• Lots of cameras. Many states require cannabis operators to install video surveillance systems and securely store the recordings or face hefty fines.
• Inventory auditing. Cannabis and hemp companies should use track-and-trace software to help provide auditing oversight, enforce ever-changing business rules and manage business processes compliantly.
• Company uniforms without pockets to prevent theft of inventory or highly developed products. This even includes cultivation sites where employees may try to steal prized genetics.

Injured employees

• Robust training. Cannabis extraction and processing is an industry, with sophisticated, six-figure machinery, some of which use butane to strip oils off plants. Explosions and other accidents are a risk; training minimizes it.
• More cameras. Just as cameras help monitor theft protections, cameras also aid in identifying cracks in the training system.

Unsavory business partners

• Supplier onboarding processes to comply with “know your customer” rules. Questions include, do they have a license? Is it valid? Is the cash coming from a known source?
• This process is required by the small number of banks that will do business with cannabis operators; many banks won’t take cannabis deposits because the product is still illegal under federal law and complying with reporting requirements is complex and expensive.

Vendor and supplier risks

• For physical materials, you’ll want to audit the quality of your supplier’s products. One can point to the “vape gate” woes of 2019 for examples of bad hardware or additives, mostly all on the illicit market. Manufacturers must pay close attention to ensure their product can pass testing and be safe for consumers.
• For information technology services, you’ll need vendors to show they’re certified for System and Organization Controls (SOC 2), which validates they have protections in place against a host of problems, including cyber breaches. This is especially important for a company interested in being traded on a public stock exchange.

• Enterprise resource planning (ERP) systems cover safety stock, alert for expiring items and provide controls and documentation to external stakeholders.

Audits and other tools

Underlying these distinct risk areas should be a complete list of standard operating procedures. Tools to support the SOP include:

• An internal compliance officer, which is a mandated position in many states.
• Key performance indicators (KPIs) and reporting processes to maintain SOPs.
• Third-party audits by accounting firms or others to validate SOPs, implement mock state audits, simulate security breaches and review financials.
• IT systems both for physical security and digital oversight.
• Third-party security for operating locations.

It’s remarkable how much the cannabis space has evolved in less than a decade since the first state legalized recreational use. Success in any business is hard, but in this industry, operators can only enjoy the rewards if they carefully manage their risks and compliance mandates.

While supporting federal legalization of cannabis, this development is unlikely to lessen the regulatory burden on the industry, which will have to maintain and improve these processes. More uniform regulatory requirements across the country will help provide a level playing ground for all.