CannTrust Shows Why Compliance Matters for Cannabis Industry

CannTrust Holdings Inc. stock dropped 48% after a news report by Bloomberg indicated that regulators found unlicensed grow rooms and provided them false and misleading information. Within five (5) days, the company lost over $174 million in market value. CannTrust may be the first, but it will not be the last, commercial cannabis business to suffer investor backlash after a regulatory infraction or be the party of a class-action investor lawsuit.

Cannabis businesses should learn from this event and perform an internal review of existing risk, governance and compliance controls around the procurement of cannabis, especially in states with cannabis shortages. A CannTrust employee interviewed by Bloomberg stated that the company was cutting costs and corners, indicating a lack of controls and culture of compliance.

An effective risk and compliance framework, along with a culture of compliance, protects an organization and its shareholders. Senior leadership must be familiar enough with the day-to-day operations to understand what risks are on the horizon and how to help the company head them off. This involves assessing the organization’s daily activities and processes to determine the types of events, that if they occurred, would stop business operations, prompt regulators to investigate, cause unfavorable headlines, or make consumers avoid your brand.

Senior leadership also sets the tone at the top for the expectations for the company’s vision, strategy, and growth. The company culture and the quality of senior management are imperative to ensuring that employees understand the rules of the road. The internal threats posed by employees are just as great as those posed by the potential contamination of a cannabis harvest.

If interested in cutting costs, cannabis businesses may utilize technology to automate as many processes as possible. Companies can utilize technology such as governance, risk, and compliance platforms to assess risk, document its processes and controls used to mitigate the risk and test whether they work. The automation helps contain headcount and creates a central repository for institutional knowledge, which is important in a high growth industry that is staffing up quickly.

The CannTrust regulatory disclosure is a wake-up call for the cannabis and hemp industries. The industry has matured and is being held to public market standards. The cannabis industry must ensure that it continues to mature by adopting public market governance and risk frameworks and controls. Market value can be erased overnight. However, well run companies establish culture and controls to prevent this from happening.

The Challenge of Assessing and Mitigating Risk in the Cannabis Industry

The fact that cannabis is illegal under federal law is not the only reason why the industry is high risk. The vertical nature of the cannabis industry means that a business may perform activities in multiple sub-industries such as agriculture, pharmaceutical manufacturing and testing, food manufacturing, distribution, transport, retail, and medical sales. Each of these industries poses unique risks to a business. So how is a cannabis business supposed to understand and assess its risk?

Understanding risk is key to establishing an effective risk and compliance framework that protects the organization and its shareholders. A business must understand where the land mines are hidden, and ensure that they fail to detonate.

This involves assessing the organization’s daily activities and processes to determine the types of events, that if they occurred, would stop business operations, prompt regulators to investigate, cause unfavorable headlines, or make consumers avoid your brand.

Senior leaders in the organization should be familiar with these issues and articulate them to operations or compliance so that mitigating controls or processes can be implemented. This risk assessment process can be documented, and controls can be aligned with the associated risks to ensure completeness.

Rigorous controls should be designed for the highest areas of risk, and the controls should be tested on a periodic basis. By testing the controls, the company can ensure that they are well designed and work as intended.

Risk and control frameworks can help protect an organization from catastrophic consequences of a data breach, product or food recall, internal fraud or other events that happen in every type of an organization. An organization should consider how it will respond if something does happen. Incident response plans can help the firm practice how it will manage the situation rather than reacting to the situation.

In the end, belts and suspenders can create good practices that protect an organization and its shareholders. If something does happen, knowing how the company will respond can help the company navigate the stormy waters to a full recovery.

DOJ Issues Guidance on a Well Designed & Effective Corporate Compliance Program

The Department of Justice (DOJ) updated its guidance to help prosecutors to evaluate corporate compliance programs.  Prosecutors rely on this guidance when evaluating business organizations during an investigation, determining whether to bring charges or when entering into a plea agreement.

The DOJ guidance asks prosecutors to answer three questions about the organization’s compliance program including:

  1. Is it well designed?

  2. Is it applied effectively so that it mitigates risk identified during a risk assessment process?

  3. Does the compliance program work in practice?

Well Designed: The DOJ’s guidance provides that the organization’s compliance program is well designed if the organization periodically performs a risk assessment process to identify and understand the organization’s risks, and maintains policies and procedures that incorporate processes that mitigate those risks. The policies and procedures should “incorporate the culture of compliance in its day-to-day operations.”

Effective: The DOJ’s guidance recommends that prosecutors assess the compliance program’s effectiveness. The “tone at the top” that is set by senior management should establish an ethical environment and culture of complying with the law. Appropriate governance should be established with independent board members to ensure that there is appropriate oversight, including auditing and well financed compliance function.

Does the Compliance Program Work? The DOJ’s guidance indicates that prosecutors should evaluate how the organization detects misconduct and the good faith effort utilized in performing remediation including the performance of a root cause analysis to understand how the misconduct occurred. The compliance program should be continuously monitoring the organization for new risk and improving the internal control system. The compliance program should include a testing program to identify any weaknesses in high risk areas, and to ensure that controls work. The organization should also investigate and remediate the root cause of misconduct.

The DOJ’s guidance provides insight on best practices that all businesses should follow. The compliance program can be customized to address an organization’s size, risk profile and strategic goals.

Want to Sell Your Business or Go Public? Embrace Compliance

Entrepreneurs start businesses to make money. At some point, the entrepreneur may want to sell or go public, for a variety of reasons. A company that has an inadequate risk and compliance program may find it difficult to do so.

Bankers, investors and potential partners want to understand the risk associated with the company that may negatively impact the company's future value and the partner's reputation. These risks include, among others, illegal activity, fraud, enforcement actions, intellectual property infringement, litigation or the threat of litigation, a consumer safety issue, or employee lawsuits.

A company, as part of what is known as “due diligence”, must disclose these risks and demonstrate control frameworks that prevent them from occurring. Otherwise, no one will be interested in doing a deal.

The cannabis industry poses a higher risk to investors as compared to other industries, which means that sophisticated investors or investment banks will perform extra levels of due diligence. These extra levels are designed to uncover illegal activity, compliance failures, a lack of a culture of compliance, and determine whether a company’s risk and control programs are on par with industry best practices.

If due diligence uncovers evidence of risky business, the valuation of the business and the ability to enter the public market will be negatively impacted. Between two similarly situated acquisition targets, an institutional player will select the business that mitigates risks facing the business, and embraces a culture of compliance. In the cannabis industry, compliance is a competitive advantage.

It is not too late to take a step back and understand how you can implement a risk and compliance program expected of a public company. There are small steps that can take you a long way including:

  • Hire a compliance officer and provide them with sufficient resources to create an effective risk and compliance program. The risk and compliance program can be customized to the company’s size, risk, and strategic goals.

  • Create a culture of compliance. The internal threats posed by employees is one of the greatest risks that can quickly erode a business’ valuation or opportunity to go public.

  • Grow quickly but wisely. Sophisticated investors and investment banks care about the quality of the assets a company buys. Perform due diligence- otherwise, the investment may be worthless. Remember that a company’s sins are assumed by the buyer and do not go away.

  • Obey the laws and demonstrate how you do it. Always be prepared to show investors how the business complies with all applicable regulations.

At the end of the day, the companies that have effective risk and compliance programs will become the market leaders. Those that do not, will fall away. The risk to investors and investment banks in making a bad bet is too great for them to support companies that fail to mitigate risk or follow the rules.