Like most things in life, you can think of risk management and compliance on a spectrum. We have three basic areas of the spectrum. To the far left, we have cannabis operators who are comfortable being out of bounds and will likely never be convinced that risk management and compliance will be keys to their success. In the middle, we find most operators who want to avoid deficiency notices, fines, and enforcement. They’re interested in managing risk and compliance, but may not have spent the time or resources to master the process. And then there are the operators on the right who often come from highly regulated industries like banking or pharmaceutical. They’re used to operating within a strict regulatory environment and are comfortable managing risk and maintaining compliance using a risk-based approach. Because those on the far left don’t worry about risks or compliance, and those on the right already have or soon will commit significant resources to managing risk and ensuring compliant operations, this article will provide information best suited to those in the middle. For all of you who are looking to develop and implement a compliance program or seek to improve the program you already have, this article is for you.

Compliance Basics

When we talk compliance, we are referring to two types of standards:

• External regulatory laws, rules, and regulations from state and local authorities
• Internal proprietary policies and procedures that inform all the ways in which your brand differentiates itself

A well-designed risk-based cannabis compliance program takes both set of standards into account.

Elements of an Effective Compliance Program

Effective risk-based compliance programs have six elements in common. These elements are:

Effective risk-based compliance programs have six elements in common. These elements are:

Internal Control Environment

• Written and accessible policies that inform training and assign responsibility and ownership of daily operations
• Designated and visible compliance leadership

Risk Assessment

• Internal review to identify risk issues before they become large problems and to document compliant operations

Control Activities

• Written and accessible procedures that inform training and daily operations

Information and Communication

• Open and documented lines of communication
• Periodic reports to management on compliance initiatives, challenges, and successes

Training

• Initial and ongoing training and assessment

Assurance

• Internal auditing to identify issues before they become large problems and to document compliant operations
• Prompt and documented corrective response, as needed
• Regular assessment of program effectiveness. A continuous loop of feedback and action that implements improvements, assess effectiveness, and identifies emerging challenges

Need to talk to your CEO on how to start or why this is important, Why Should a Company Implement a Risk-Based Approach – ACCCE

Setting up a Compliance Program

1. Assign one person to oversee the development, implementation, and maintenance of your company’s compliance program. That person, the Compliance Officer, will be assigned the responsibility and authority to gather a team of people to manage the compliance program. Have the Compliance Officer:
2. Oversee the development of a risk assessment by gathering and assessing the following requirements and standards into control activities by department based on: a) current external laws, rules, and regulations; and b) Current internal policies and procedures
3. Help each department assign a lead person to: a) Identify the rules, regulations, and internal policies and procedures that apply to their department; b) Ensure all existing policies and procedures align with identified requirements and standards; and c) Ensure all requirements and standards are addressed in the department’s policies, procedures, and training.
4. Formalize how the Company will manage and provide access to operational documentation. Because the cannabis industry is still maturing, most companies regularly revise their SOPs. Set up a system to ensure SOP revisions are documented and approved before dissemination
5. Evaluate training needs to assure that employees are: a) Properly trained (and retrained in some cases) on all policies and procedures applicable to their job description; b) Assessed after initial training; c) Formalize documentation for completing training assignments and assessments by completion dates; and d) Formalize a training system and calendar so each department’s new employees receive the same training and retraining.
6. Formalize issue management to organize, assign, oversee, and audit compliance tasks. Primary choices are a physical binder with paper checklists and to-do items or a company-wide electronic compliance management system
7. Determine who will be responsible for change management. Change management will keep your company current on all new guidance and legislation that affects your license type and answer the inevitable and ongoing questions about external regulatory laws, rules, and regulations. Set up a periodic time frame to update your risk assessment based on change management to ensure your team is up-to-date on new guidance and legislation that affects your company. Consider hiring a consultant or lobbyist, or investing in a legislative and regulatory monitoring and updating service. 
8. Determine how you will inform and communicate operational compliance to company stakeholders and regulatory auditors. Consider preparing a risk profile based on your risk assessment to make all stakeholders aware of the highest risk issues affecting the company. 
9. Set up a calendar to ensure timely renewal of licenses, assignment of continuing training requirements, and auditing of all priority areas as determined by your risk management program.
10. Share with all staff members how the new compliance program will help them. Let them know that the compliance program will: a) Provide them with information so they know exactly what is expected of them in their position at the company; b) Empower them with access to information and training to support their job performance; c) Reduce stress; and d) Ensure that everyone, in every department, works within established guidelines to build a trusted and powerful cannabis brand.

Often the hardest part is just getting started. Taking the time to establish and maintain risk management and compliance programs for your company is smart business.  Look around ACCCE’s Commercial Cannabis Insights page, and you will find resources that define risk management programs, others that offer up best practices in risk management, and still others that compare risk management to quality management and compliance programs. The goal of all these resources is to provide you with the information you need so that you can focus your time on identifying and managing the risks that could derail your company. Furthermore, implementing controls and systems—a compliance system—to mitigate that risk, is the right course of action.

Not an ACCCE member yet? Sign up for ProCanna compliance tips or demo, and we will pay for your ACCCE membership, a $100 value. Visit us at https://procanna-usa.com.