A Risk-based Strategy

Adopting a risk-based strategy allows the commercial cannabis business to mitigate reputational, administrative, civil, and criminal exposure by creating a well-designed risk program. The ACCCE risk program implements the Cannabis Risk Management Framework (CRMF), a risk-based strategy, to assure the business can demonstrably prove their intent to comply through formalized policies, procedures, and mitigation actions tailored to the business. The CRMF also recognizes that each business’s risk profile and solutions must considers the business’s unique characteristics such as, but not limited to, its size, geographic footprint, operational structure, cannabis product types, and regulatory landscape. This allows this approach to be viable for all commercial cannabis market participants.

The CRMF focuses resources and time on the highest risks to commercial cannabis businesses. The highest risks to the commercial cannabis business are determined by the likelihood and impact of the risk. The complexity of the commercial cannabis industry means that all commercial cannabis businesses are exposed to administrative, civil, and criminal fines and penalties. It is impossible to eliminate all risks that expose commercial cannabis businesses to these fines and penalties, so management must pick an approach that is cost effective and provides relief even if the business is found noncompliant. To accomplish this, the commercial cannabis business must implement a well-designed risk program that is in place and effective prior to noncompliance.

A Well Designed Risk Program

A well-designed risk program is adequately designed to prevent and detect noncompliance by employees and is enforced by the business. The program should enable management to clearly message that misconduct is not tolerated, but also provide reasonable policies and procedures that address and aim to reduce risks identified by the commercial cannabis business. The program should be well-integrated into the commercial cannabis business’s operations and workforce through actions such as appropriate assignments of responsibility, training programs, and systems of incentives and discipline.

It is important to note that the existence of noncompliance does not, by itself, mean that a risk program did not work or was ineffective. No risk program can eliminate all risk. Mitigating factors to noncompliance are based on whether a risk program did effectively identify the noncompliance, including allowing for timely remediation and self-reporting. The business will also need to demonstrate that it undertook an adequate and honest root cause analysis to understand both what contributed to the noncompliance and the degree of remediation needed to prevent similar events in the future to manage money laundering, illicit cannabis market, compliance, supply chain, and operational risk.

An Effective Risk Program

An effective risk program must be resourced and staffed appropriately so that it can audit, document, analyze, and utilize the results of the business’s risk management efforts. The business’s top leaders set the tone for the rest of the commercial cannabis business and management, in turn, must reinforce those standards and encourage employees to abide by them. Effective implementation also requires those charged with a risk program’s day to-day oversight to act with adequate authority and stature. In particular, whether those responsible for compliance and risk management have:

• sufficient seniority within the organization;
• sufficient resources, namely, staff to effectively manage the program; and
• sufficient autonomy from management, such as direct access to the board of directors or the board’s audit committee.

To be truly effective, compliance and risk personnel must be empowered within the commercial cannabis business to effectively detect and mitigate risks.

A Risk-based Approach

A risk-based program must enable the business to identify, assess, and document its risk profile so that the business can devote appropriate scrutiny and resources to the range of risks it is exposed to. Therefore, the business must be able to tailor its risk program to detect the particular types of noncompliance most likely to occur in that particular business. For example, the business should analyze and address the varying risks presented by, among other factors, the industry sector, the location and jurisdictions it operates in, the competitiveness of the market, the strategic plans of the business, the regulatory landscape, potential clients and business partners, and use of third parties. This process is generally referred to as a risk assessment. The quality and effectiveness of a risk program is largely judged based on management’s use of the risk assessment to appropriately resources and focus on high-risk issues, even if it fails to prevent an infraction.

In short, regulators, investors, and third parties that evaluate your risk program should understand why the business has chosen to set up the risk program the way that it has, and why and how the business’s risk program has evolved over time.