Back to your Dashboard

COMMERCIAL CANNABIS HANDBOOK

Key Roles and Responsibilities

Download Transcript

Each risk program and its applicable policies are designed to comprehensively address risk within the risk appetite.

The personnel involved in designing and implementing the risk program include:

Risk governance structure diagram

The Board

The commercial cannabis business’s board plays a critical role in ensuring long-term growth and sustainability, while also promoting enterprise-wide risk management.

The key risk management responsibilities of the board include:

  • Setting the tone from the top and ensuring a culture of risk management
  • Selecting a qualified risk officer with proper authority and responsibility
  • Providing adequate resources to effectively execute all duties
  • Approving the risk appetite, risk strategy, and applicable risk policies

 

In addition, the board has many other risk management responsibilities, including:

  • Reviewing the risk assessment, including control deficiencies
  • Seeking assurance regarding the ongoing effectiveness of the risk program
  • Reviewing internal reports to understand how organizational changes affect the risk program
  • Reviewing the market environment in which the commercial cannabis business operates to identify new and evolving risks
  • Assessing whether the commercial cannabis business is achieving its business objectives while continuing to operate within acceptable risk tolerances
  • Overseeing material risk activities
  • Approving and enforcing the ethics and whistleblowing policy

Board Risk Committee

To efficiently carry out their responsibilities, board members should understand the risks specific to the commercial cannabis business. As the complexity of the commercial cannabis business or risk profile increases, the board will find it more effective to create a board risk committee. The creation of the committee allows the board to appoint members and delegate certain responsibilities to those who are knowledgeable about the risks faced by commercial cannabis businesses. In the event the board does not establish a board risk committee, the board is responsible for carrying out these activities.

The key risk management responsibilities of the board risk committee include:

  • Reviewing and approving material risk-mitigation plans
  • Holding management accountable for identifying, measuring, and mitigating risks
  • Approving policies to escalate and report significant risk events to the board, steering committee, government agencies, and law enforcement, as appropriate
  • Obtaining independent review of the risk management strategy to assure it is performing as intended
  • Establishing the policy for approving higher risk and critical vendors

 

In addition, the board risk committee has many other risk management responsibilities, but may delegate these responsibilities to management or another committee (e.g., risk steering committee):

  • Promoting effective risk governance
  • Providing for comprehensive and effective audit coverage of risk controls
  • Overseeing and receiving updates on material risk projects, budgets, priorities, and performance to ensure adequate allocation of resources for funding and personnel
  • Delegating the design, implementation, and monitoring of specific risk activities

Risk Steering Committee

The risk steering committee differs from the board risk committee by convening as necessary to address risks. Further, the risk steering committee is normally comprised of the risk officer, senior management, and staff from other business units. Risk steering committee members should understand risk policies and procedures (collectively, referred to as the risk program). These members must have the authority to make decisions for their respective business units. If a formal risk management staff exists beyond the risk officer, the staff should participate in an advisory capacity so the risk steering committee can maintain its business unit representation. The risk steering committee provides the forum for material risks to be analyzed and discussed. This assists the risk officer in delegating responsibilities to implement control activities to appropriate management. 

The risk steering committee generally has the following responsibilities:

  • Receiving material information from the risk department, lines of business, and external sources about current or potential risk issues
  • Strategic risk planning
  • Oversight of risk management performance
  • Aligning risk strategy with business objectives
  • Coordinating and monitoring the risk resources
  • Reviewing and determining the adequacy of training
  • Reporting to the board or the board risk committee the status of the risk steering committee’s activities

Risk Officer

The risk officer should be fully knowledgeable of the risks related to the commercial cannabis business.

The key responsibilities of the risk officer include:

  • Designing and implementing the risk management process
  • Developing, implementing, and enforcing policies and procedures designed to mitigate risks
  • Performing a risk assessment that analyzes current risks
  • Identifying potential risks that may affect the business objectives
  • Assisting the board in establishing the risk appetite
  • Assisting the board and management in establishing the risk strategy
  • Determining corrective actions and disciplinary measures when a risk event is identified

 

Other risk management responsibilities include:

  • Preparing risk management budgets
  • Producing risk management reports
  • Creating business continuity plans
  • Overseeing risk and compliance audits
  • Building risk awareness

 

Risk personnel must maintain a level of independence and segregation of duties to prevent potential conflicts of interest. This can be achieved by implementing a risk-reporting structure through the risk officer. The structure should include established processes for escalating any discrepancies between risk staff and the business line to executive management or appropriate governance body.

Training Officer

As training becomes more complex, the risk officer may designate a training officer who manages the day-to-day operations of training.

The key responsibilities of the training officer include:

  • Administering the training systems and assignment of training
  • Managing training assignments
  • Providing reports and analysis to the risk officer
  • Overseeing consistency in materials and tests
  • Maintaining training records
  • Ensuring training records are up to date
  • Creating training needs assessments

Employees

When establishing a risk program, it is critical to understand that the risk officer is not solely responsible for the ownership of all the risks facing the commercial cannabis business. Employees are responsible for promptly reporting risks and opportunities to business objectives to senior management and the Risk Officer.

The risk management process must involve every employee in the commercial cannabis business for successful implementation. If employees fail to embrace risk management, risk management will fail to become part of the corporate culture and the commercial cannabis business will be exposed to increased risk. Risk ownership is each employee’s responsibility. It is the collective effort of all employees to confront the commercial cannabis business’s risks, regardless of their respective job title.

Key risk management responsibilities for employees include:

  • Completing training before the due date
  • Understanding unusual activity specific to their role
  • Reporting unusual activity when it is observed
  • Reporting risk events in a timely manner
  • Understanding the ethics and whistleblowing policy
[getPrevNext]
Resources
Body of Knowledge
All Resources