The Challenge of Assessing and Mitigating Risk in the Cannabis Industry

The fact that cannabis is illegal under federal law is not the only reason why the industry is high risk. The vertical nature of the cannabis industry means that a business may perform activities in multiple sub-industries such as agriculture, pharmaceutical manufacturing and testing, food manufacturing, distribution, transport, retail, and medical sales. Each of these industries poses unique risks to a business. So how is a cannabis business supposed to understand and assess its risk?

Understanding risk is key to establishing an effective risk and compliance framework that protects the organization and its shareholders. A business must understand where the land mines are hidden, and ensure that they fail to detonate.

This involves assessing the organization’s daily activities and processes to determine the types of events, that if they occurred, would stop business operations, prompt regulators to investigate, cause unfavorable headlines, or make consumers avoid your brand.

Senior leaders in the organization should be familiar with these issues and articulate them to operations or compliance so that mitigating controls or processes can be implemented. This risk assessment process can be documented, and controls can be aligned with the associated risks to ensure completeness.

Rigorous controls should be designed for the highest areas of risk, and the controls should be tested on a periodic basis. By testing the controls, the company can ensure that they are well designed and work as intended.

Risk and control frameworks can help protect an organization from catastrophic consequences of a data breach, product or food recall, internal fraud or other events that happen in every type of an organization. An organization should consider how it will respond if something does happen. Incident response plans can help the firm practice how it will manage the situation rather than reacting to the situation.

In the end, belts and suspenders can create good practices that protect an organization and its shareholders. If something does happen, knowing how the company will respond can help the company navigate the stormy waters to a full recovery.

DOJ Issues Guidance on a Well Designed & Effective Corporate Compliance Program

The Department of Justice (DOJ) updated its guidance to help prosecutors to evaluate corporate compliance programs.  Prosecutors rely on this guidance when evaluating business organizations during an investigation, determining whether to bring charges or when entering into a plea agreement.

The DOJ guidance asks prosecutors to answer three questions about the organization’s compliance program including:

  1. Is it well designed?

  2. Is it applied effectively so that it mitigates risk identified during a risk assessment process?

  3. Does the compliance program work in practice?

Well Designed: The DOJ’s guidance provides that the organization’s compliance program is well designed if the organization periodically performs a risk assessment process to identify and understand the organization’s risks, and maintains policies and procedures that incorporate processes that mitigate those risks. The policies and procedures should “incorporate the culture of compliance in its day-to-day operations.”

Effective: The DOJ’s guidance recommends that prosecutors assess the compliance program’s effectiveness. The “tone at the top” that is set by senior management should establish an ethical environment and culture of complying with the law. Appropriate governance should be established with independent board members to ensure that there is appropriate oversight, including auditing and well financed compliance function.

Does the Compliance Program Work? The DOJ’s guidance indicates that prosecutors should evaluate how the organization detects misconduct and the good faith effort utilized in performing remediation including the performance of a root cause analysis to understand how the misconduct occurred. The compliance program should be continuously monitoring the organization for new risk and improving the internal control system. The compliance program should include a testing program to identify any weaknesses in high risk areas, and to ensure that controls work. The organization should also investigate and remediate the root cause of misconduct.

The DOJ’s guidance provides insight on best practices that all businesses should follow. The compliance program can be customized to address an organization’s size, risk profile and strategic goals.

Want to Sell Your Business or Go Public? Embrace Compliance

Entrepreneurs start businesses to make money. At some point, the entrepreneur may want to sell or go public, for a variety of reasons. A company that has an inadequate risk and compliance program may find it difficult to do so.

Bankers, investors and potential partners want to understand the risk associated with the company that may negatively impact the company's future value and the partner's reputation. These risks include, among others, illegal activity, fraud, enforcement actions, intellectual property infringement, litigation or the threat of litigation, a consumer safety issue, or employee lawsuits.

A company, as part of what is known as “due diligence”, must disclose these risks and demonstrate control frameworks that prevent them from occurring. Otherwise, no one will be interested in doing a deal.

The cannabis industry poses a higher risk to investors as compared to other industries, which means that sophisticated investors or investment banks will perform extra levels of due diligence. These extra levels are designed to uncover illegal activity, compliance failures, a lack of a culture of compliance, and determine whether a company’s risk and control programs are on par with industry best practices.

If due diligence uncovers evidence of risky business, the valuation of the business and the ability to enter the public market will be negatively impacted. Between two similarly situated acquisition targets, an institutional player will select the business that mitigates risks facing the business, and embraces a culture of compliance. In the cannabis industry, compliance is a competitive advantage.

It is not too late to take a step back and understand how you can implement a risk and compliance program expected of a public company. There are small steps that can take you a long way including:

  • Hire a compliance officer and provide them with sufficient resources to create an effective risk and compliance program. The risk and compliance program can be customized to the company’s size, risk, and strategic goals.

  • Create a culture of compliance. The internal threats posed by employees is one of the greatest risks that can quickly erode a business’ valuation or opportunity to go public.

  • Grow quickly but wisely. Sophisticated investors and investment banks care about the quality of the assets a company buys. Perform due diligence- otherwise, the investment may be worthless. Remember that a company’s sins are assumed by the buyer and do not go away.

  • Obey the laws and demonstrate how you do it. Always be prepared to show investors how the business complies with all applicable regulations.

At the end of the day, the companies that have effective risk and compliance programs will become the market leaders. Those that do not, will fall away. The risk to investors and investment banks in making a bad bet is too great for them to support companies that fail to mitigate risk or follow the rules.