The third component of the CRMF is to implement control activities that involve the actions taken to minimize risk.

The risk steering committee and risk officer establish the guidelines that include expected management control structure, control standards, and oversight. The risk officer is responsible for enforcing these guidelines. Management is responsible for implementing control activities within these guidelines.

Implementing the Risk Program

A unified approach to control activities allows management to effectively reduce the risks faced by the commercial cannabis business.

Control activities require three elements: implementation of management control structure, control standards, and oversight. These elements assure management that the control activities are commensurate with the size, structure, risk, and complexity of the commercial cannabis business. A uniform approach of the management control structure establishes ownership and responsibility consistently across management. The control standard establishes the risk expectation of management to assure the reduction of their risks. Establishing oversight allows management to hold stakeholders accountable for managing their risks. These control activity elements enable management to formalize consistent policies and procedures that reduce risk within risk tolerance.

Maturing the Risk Program

Control activities are updated and enhanced as management develops a deeper understanding of their risks and effectiveness. The three elements of control activities should be periodically evaluated to determine if they produce the intended outcome. Control activities are reviewed in conjunction with the risk assessment to determine if more efficient or effective control activities can be implemented, including changing the level of redundancies or implementing automation.