Rapid cannabis industry growth can bring greater rewards for businesses, but it can also increase risk. For example, operators can run afoul of local and state regulations or get passed over by investors because of inconsistent, inappropriate, or insufficient control processes or a lack of control processes altogether. In addition, the high volume of cash transactions makes dispensaries vulnerable to theft and security issues, and manufacturers must guard against inconsistent or poor product quality resulting in liability issues.
These ever-present operational and financial risks can derail a small startup or a vertically integrated multistate operator (MSO). All cannabis companies should assess their risks and implement mitigation strategies relevant to their current and planned business structures.
While risk profiles vary by business type (cultivator, manufacturer, dispensary, MSO), all cannabis companies can benefit from understanding the fundamentals of risk management. One approach to consider is the Crowe Sustainable Risk Management Framework, which was developed and refined based on engagement in the market with countless businesses across major industries. The framework emphasizes three principles – leadership, integration, and information – that are relevant to nearly any type of business, including cannabis companies.
Crowe Sustainable Risk Management Framework
1. Leadership in addressing risks
Effective cannabis risk management begins with buy-in and prioritization by organizational leaders who can take actions across the following themes:
- Strategy. Organizational leaders must take a systematic approach and incorporate risk management into existing goals, strategies, and budgets.
- Organization. Leaders also should define employee and management roles, set up accountability, and update the organizational structure to mitigate risks.
- Change management. By overseeing the process of change and integrating risk management into existing practices, leaders can prepare the business for changes in risk profiles.
- Culture. Through embedding risk awareness into company culture and establishing a common risk language, leadership can help teams identify and address new risks as they arise.
Example of leadership: Company ABC, a cannabis cultivator, is penalized because it did not meticulously register every data point for cannabis biomass and products (such as harvest date, sale, and processing activities) into the track-and-trace database as required by law. As a result, penalties were incurred. In response, operational leaders establish better internal communication channels, define ownership of duties, and set up a review and oversight process to discover potential risks in advance.
2. Integration of risk management practices
Cannabis company leaders are focused on business growth, which means they might lack the time and resources to address risk management on their own. That’s why cannabis risk management should be integrated into existing processes rather than function as a stand-alone program. Integration best practices should involve:
- Documentation. A solid documentation practice includes developing and improving processes, then documenting them in writing and demonstrating ongoing compliance with an auditable paper trail.
- Collaboration. Effective collaboration includes integrating practices across departments, breaking down risk silos, and working together to set acceptable risk tolerance levels.
Example of integration: Company XYZ, a cannabis dispensary, identifies security gaps in its cash management processes, which put employee safety at risk. In response, managers improve their standard operating procedures for handling cash, document the procedures in a handbook, and hold a series of staff trainings to reinforce them.
Consider a risk management and internal control assessment
A high-quality risk management and internal control assessment tailored to the specific needs of cannabis businesses can help identify risks and opportunities.
3. Information for ongoing assessment and improvement
Cannabis risk management cannot succeed without the flow of accurate, timely, and consistent information. Teams should prioritize these actions:
- Assessment and response. Managers should collect data from a variety of sources and investigate risk scenarios and risk response design.
- Monitoring and reporting. Each team should develop KPIs and dashboards. Alternatively, the organization can adopt a governance, risk, and compliance platform to maintain ongoing visibility of risk factors.
- Process improvement. Organizational leaders should use timely data to improve processes and incorporate risk into decision-making.
Example of information management: Company 123, a cannabis product manufacturer, discovers that its product costing is inaccurate and its gross margin insufficient. What happened? The finance team had not identified and tracked all direct and indirect costs. In response, the chief financial officer corrects the discrepancies and sets up a process to periodically review costs and internal controls and identify information gaps.
Cannabis risk management supports growth
Thanks to regulatory uncertainty and limited access to tools other industries have access to such as national or large regional banking and insurance relationships, the cannabis industry likely will have an increased risk profile for the foreseeable future, which heightens the need for a structured, enterprisewide risk management approach. However, even with so many external factors out of their control, cannabis companies still can dramatically decrease risks by addressing internal strategies and processes.
Cannabis companies with effective, relevant, and well-documented risk management practices can better position themselves to create and preserve capital, attract investment, and achieve long-term sustainable growth.
Explore our cannabis services and solutions
Crowe cannabis specialists can help you address pressing challenges – from tax planning and compliance to audit and assurance, internal controls, and mergers and acquisitions.
Crowe specialists can help your business navigate growth. We bring extensive cannabis industry experience and the resources of a top 10 accounting firm.
Qualified organizations only. Independence and regulatory restrictions may apply. Some firm services may not be available to all clients. Given the continued evolution and inconsistency of various state and federal cannabis-related laws, any company should seek competent legal advice relating to its involvement in the cannabis industry, including when considering a potential public offering as a cannabis-related company.