Dear ACCCE,
Are compliance and risk management the same thing? What is a risk-based approach?
Sincerely,
A curious compliance officer
Two Functions Unified by One Risk Management Strategy
Compliance and risk management are two distinct functions that should be unified by one risk management strategy. A risk-based approach is a common risk management strategy in highly-regulated industries that optimally facilitates compliance while also mitigating other risks. A properly implemented risk-based approach creates a broader level of protection for the business, employees, and investors from reputational, administrative, civil, and criminal penalties.
Compliance protects organizations from regulatory risks they are exposed to by integrating control activities into the day-to-day job functions that should reasonably allow employees to compliantly fulfill their duties. Risk management uses the analysis of risks to protect organizations from threats from a wider variety of sources by prioritizing threats most likely to harm the company.
For example, consider regulatory requirements when wasting cannabis products. Compliance would work with the employees directly involved in wasting the cannabis products to integrate the regulatory requirements into their day-to-day actions, decisions, and quality review. Risk management would analyze the most likely reputational, administrative, civil, and criminal risks that wasting cannabis product exposes the business to. This allows them to determine if additional control activities, reporting, training, auditing, or other activities are appropriate. These other activities beyond the regulatory requirements would be implemented to reduce the civil and criminal penalties that non-compliance exposes the company, its employees, and investors to.
In an ideal world, the compliance control activities would prevent non-compliance altogether. If it doesn’t, the risk management activities should lead to prompt detection while minimizing harm, and give the business the greatest chance of reducing penalties because of the non-compliance.
Executive management, compliance managers, and risk managers who understand how to implement a risk-based approach can reduce the business’s risk of reputational, administrative, civil, and criminal penalties more than either function operating alone. In fact, a highly-regulated business can’t reduce compliance risks for the business, employees, and investors meaningfully without both robust risk management and compliance.
Understanding the difference between compliance-related activities and risk management-related activities allows you to use the right tool for the right job. Here’s how to compare compliance and risk management:
- Day-to-Day Management vs Oversight:
- Compliance takes the known regulations your business must comply with and integrates them into your day-to-day practices.
- Risk management uses analysis to determine the risks worth taking and the mitigations worth implementing.
- Prescribed vs. Predictive:
- Compliance focuses on the specific tasks or outcomes a business must manage to remain compliant. This allows management to integrate requirements into their processes and procedures.
- Risk management focuses on the impact and likelihood the risks will have on the business. This analysis allows management to prioritize resources on the mitigants most likely to minimize risks, or take advantage of their upsides.
How a Risk-Based Approach Helps
While functionally different, compliance and risk management should be unified under a risk management strategy to multiply the value of each. Going back to the above example on wasting cannabis products, a risk management strategy aligns compliance and risk management to reduce any likely penalty below the risk appetite of the company. Reducing criminal exposure to the company, employees, and investors from negligent and willful acts is usually part of the risk appetite. To accomplish this, compliance would focus on a system of controls to reasonably allow the employees to compliantly manage wasting cannabis products according to the regulation. Whereas through its analysis of risk, risk management may conclude that wasted cannabis products could be used for diversion that exposes the company to criminal penalties. Based on the analysis, management might focus on reducing the likelihood of criminal penalties by setting up control activities to detect and investigate the wasting of high volume/value cannabis products that may indicate diversion.
ACCCE champions the Cannabis Risk Management Framework (CRMF), a risk-based approach.
The CRMF allows both compliance and risk management functions to focus resources on the mitigants most likely to reduce the risk or increase the reward of taking a risk. Implementing the CRMF creates:
- Integration with business objectives: A risk-based approach starts by integrating business objectives to align compliance and risk management activities to the areas that matter most to the business. Integrating business objectives allows the business to determine the likely risks it faces and how to best prioritize its remediation.
- Reduces the chances of non-compliance: Unified under a risk-based approach, compliance and risk management create a well-designed system of control that is more effective than either alone. The CRMF establishes the features that demonstrate the business’s intent to comply. For example, clear oversight demonstrates the business’s tone at the top, demonstrating to every employee the importance of compliance.
- Reduces the cost of non-compliance: Compliance in the commercial cannabis industry is too complex to accomplish solely through check box ticking or control activities. This is acknowledged by most jurisdictions through consideration of mitigating factors when penalizing non-compliance. A well-designed system of controls that is in place and working as intended when non-compliance is identified is more likely to create an environment where the regulator can work with the licensee to bring them back into compliance. Alternatively, a lax system of controls is likely to result in strict enforcement to bring the licensee back to compliance.
- Establishes an Enterprise View: A well-designed system of controls creates a strong risk culture where risks are proactively escalated and analyzed. This reduces the chances that risks are siloed by function or brand, thus identifying risks early in the risk horizon where mitigation is more cost-effective.
The end goal of risk management and compliance is to reduce perils and hazards that threaten the business. A risk-based approach forms a comprehensive strategy across the business that reduces the chances of non-compliance by focusing resources on the most important risks. This strategy reduces the penalties of non-compliance because regulators acknowledge that a well-designed system of control that is in place, effective, and working as intended may still suffer from non-compliance. Regulators recognize the risk-based approach across highly-regulated industries because it effectively maintains compliance across the business, creates the environment where non-compliance is less frequent and impactful, and when non-compliance is found, the licensee is able to remediate the problem.
Ultimately, risk management and compliance are professional functions that tackle similar issues for the company from different angles. The CRMF risk management strategy allows managers and owners to manage costs and provide better protection for the business, employees, and investors.
The Association of Certified Commercial Cannabis Experts (ACCCE) is dedicated to advancing the professional knowledge and skills of those committed to commercial cannabis risk management.
Click here to become a member and connect with our community of like-minded professionals in the commercial cannabis industry.
