Rapid cannabis industry growth can bring greater rewards for businesses, but it can also increase risk. For example, operators can run afoul of local and state regulations or get passed over by investors because of inconsistent, inappropriate, or insufficient control processes or a lack of control processes altogether. In addition, the high volume of cash transactions makes dispensaries vulnerable to theft and security issues, and manufacturers must guard against inconsistent or poor product quality resulting in liability issues.
These ever-present operational and financial risks can derail a small startup or a vertically integrated multistate operator (MSO). All cannabis companies should assess their risks and implement mitigation strategies relevant to their current and planned business structures.
While risk profiles vary by business type (cultivator, manufacturer, dispensary, MSO), all cannabis companies can benefit from understanding the fundamentals of risk management. One approach to consider is the Crowe Sustainable Risk Management Framework, which was developed and refined based on engagement in the market with countless businesses across major industries. The framework emphasizes three principles – leadership, integration, and information – that are relevant to nearly any type of business, including cannabis companies.
Effective cannabis risk management begins with buy-in and prioritization by organizational leaders who can take actions across the following themes:
Example of leadership: Company ABC, a cannabis cultivator, is penalized because it did not meticulously register every data point for cannabis biomass and products (such as harvest date, sale, and processing activities) into the track-and-trace database as required by law. As a result, penalties were incurred. In response, operational leaders establish better internal communication channels, define ownership of duties, and set up a review and oversight process to discover potential risks in advance.
Cannabis company leaders are focused on business growth, which means they might lack the time and resources to address risk management on their own. That’s why cannabis risk management should be integrated into existing processes rather than function as a stand-alone program. Integration best practices should involve:
Example of integration: Company XYZ, a cannabis dispensary, identifies security gaps in its cash management processes, which put employee safety at risk. In response, managers improve their standard operating procedures for handling cash, document the procedures in a handbook, and hold a series of staff trainings to reinforce them.
Cannabis risk management cannot succeed without the flow of accurate, timely, and consistent information. Teams should prioritize these actions:
Example of information management: Company 123, a cannabis product manufacturer, discovers that its product costing is inaccurate and its gross margin insufficient. What happened? The finance team had not identified and tracked all direct and indirect costs. In response, the chief financial officer corrects the discrepancies and sets up a process to periodically review costs and internal controls and identify information gaps.
Thanks to regulatory uncertainty and limited access to tools other industries have access to such as national or large regional banking and insurance relationships, the cannabis industry likely will have an increased risk profile for the foreseeable future, which heightens the need for a structured, enterprisewide risk management approach. However, even with so many external factors out of their control, cannabis companies still can dramatically decrease risks by addressing internal strategies and processes.
Cannabis companies with effective, relevant, and well-documented risk management practices can better position themselves to create and preserve capital, attract investment, and achieve long-term sustainable growth.
Talk to a cannabis team member today