Purposefully Achieve Your Company’s Goals with a Compliance Risk Assessment
Risk and compliance professionals know that operating a highly regulated business is difficult. But in the cannabis industry, it is exceedingly tough because of jurisdictional variances and rapidly changing regulations.
Risk and compliance officers at commercial cannabis businesses aren’t strangers to this complexity and know the fine balance that must occur between profitability and risk. The 2020 U.S. presidential election and changes in internal laws offered a boon for those looking to enter the legal cannabis market with more jurisdictions allowing cannabis use, but this also means that commercial cannabis businesses must closely examine the associated compliance risks that accompany the new opportunities. This is best accomplished through a formal risk assessment.
All actions have associated risks. The question is, how do you manage those risks?
A compliance risk assessment is the foundation of a well-built compliance program and supports a strong risk culture. A risk assessment helps a business identify its unique risk profile, which is the combination of the specific compliance risks that affect the business and the potential impact of those risks. As you consider how to grow your business, you want to ensure you are prepared to take on any associated risks and are prepared to manage those risks efficiently and effectively.
No business is completely immune to risk, but the good news is that a risk assessment will help you determine if the risk can be mitigated appropriately for the reward. The risk assessment is not a one and done exercise. It is meant to be a living document that is updated no less than every 18 months and should also be your first step when considering any type of business expansion.
Join ACCCE’s complimentary webinar to understand best practices for conducting a compliance risk assessment.
Risk vs. Reward in the Real World
Consider this scenario: two similarly licensed horizontally integrated cannabis operators are looking to expand into a new jurisdiction. Both companies worry that entering a new jurisdiction brings risks that might materially hurt their business if done incorrectly.
Company A’s risk officer knows that the regulations and rules can vary significantly between jurisdiction and localities. While the risk officer has a risk assessment review scheduled in six months, she knows that with this contemplated expansion, an immediate review of new potential risks is necessary. Company A’s risk officer gathers the necessary cross-functional experts and completes a risk assessment to identify the potential compliance risks associated with expansion into the new market. At the end of the risk assessment exercise, the risk officer communicates the results with all stakeholders and works with senior management and the board to move forward with the expansion. While the risk assessment has identified some high risks with the expansion, the identified control activities would be satisfactory with some minor enhancements to manage the newly identified risks and remain within the company’s risk appetite – the amount of risk that senior management and the board are willing to expose the business to in order to achieve business goals. Ultimately, their analysis has indicated that the reward is worth the cost of modifying their control activities. The risk assessment empowered management to make an informed risk-based decision to expand their business and be well positioned for growth.
Conversely, Company B’s risk officer decides that conducting a risk assessment is not necessary because the business is already updating the risk assessment six months from now on its 18-month schedule. Senior management is excited to expand the business, so they move forward without assessing potential risks. Ultimately, the risk officer conducted the risk assessment and discovered that control activities were not appropriately modified, and the company engaged in noncompliant activity. When reviewed by regulators, the activity was brought to the risk officer’s attention. Unfortunately, since the risk officer cannot point to an applicable risk assessment, the regulator is concerned that the business does not have an effective risk management system in place. The risk officer has exposed the business to possible enforcement actions that he must now mitigate, which will be costly and time consuming.
While both companies have expanded their business, Company A was able to realize an expansion with controlled costs and an understanding of the major risks. Company B has expanded, but that has come with potential fines and risks to their licenses. Company A followed three key steps to build out its risk assessment process:
(1) Create a framework
(2) Develop an evaluation methodology
(3) Evaluate the control environment
No business is completely immune to risk, but the good news is that a risk assessment will help you determine if the risk can be mitigated appropriately for the reward.
3 Steps to a Robust Compliance Risk Assessment
Compliance risks facing a commercial cannabis are complex, which can be frustrating to keep up with.
The three key steps to building a robust risk assessment process are illustrated through an evaluation of the compliance risk area.
The first step when designing a risk assessment is to create a framework that lays the groundwork for how you will assess your compliance risks. The framework details your business’s risk landscape and the specific compliance risks your business is exposed to. For example, in the commercial cannabis industry, you may be exposed to environmental, health, and safety; cross-jurisdictional transportation; and other industry-specific compliance risks. Your business will also be exposed to compliance risks that are specific to your own business model, depending upon the products and services you offer, the business processes you have, and the jurisdictions in which you operate. These are the most common risk drivers within the compliance risk area for each commercial cannabis business, but your assessment and management of them will differ from those of other commercial cannabis businesses because your risk profile is different.
The second step in the risk assessment process is to develop a methodology that explains how you evaluated all the compliance risks your business is exposed to. The methodology can use qualitative and quantitative ways to assess the risks and does not have to be overly complex. The goal is to assess the likelihood and potential impact of each risk so you can arrive at the inherent risk exposure to your business. Inherent risk is risk that is present without taking into consideration your control environment, for example, policies and procedures, training programs, dual control, and segregation of duties. Risk exposure can be easily documented on a rating scale of low to high, with low reflecting minimal impact and high reflecting significant impact. This will give you a comprehensive visual representation of what you are working with.
The third step in the risk assessment process is to evaluate your control environment against the inherent risks you identified to determine what your residual risks are and where you may have deficiencies that require remediation. Residual risk is the risk that remains at the end of the risk assessment process – think of it as inherent risk minus the control environment. If you identified that your control environment is not sufficient to manage the risks within the company’s risk appetite, either because there is a weak control activity in place or absence of a control activity, you must take some action. Prioritize your highest residual risks first and determine how you will manage those risks. This will help you determine appropriate resourcing to focus on the highest risks first.
Using a risk assessment will help you gain insight into the most critical risks facing your business objectives and determine the best mitigation strategies to employ. This allows you to communicate the risk profile to senior management and the board. By communicating the risk profile, they can make an informed risk-based decision on whether the rewards outweigh the risks.
Risk Assessments Empower Risk-Based Decisions
Risk assessments are an essential component of a robust compliance program and strong risk culture. As you expand your business’s products and services, it is also important to update your risk assessment to maintain the business’s risk profile. While risk assessments should be updated at least every 18 months, they should also be updated before you consider any type of expansion or change in business model. Diving in feet first without evaluating how that new product or service offering, market expansion, or production methodology might affect your business can wind up damaging your business instead of helping it grow.
Risk officers that update their risk assessment for new business objectives and on a periodic schedule are protecting their company from probable noncompliance. A business that conducts and communicates a formal risk assessment empowers all employees to help make informed risk-based decisions that will save the business time and money and enhance competitive advantage.
The Association of Certified Commercial Cannabis Experts (ACCCE) is dedicated to advancing the professional knowledge and skills of those committed to commercial cannabis risk management.
Click here for more information on how ACCCE can help our members at commercial cannabis businesses.