Share

The Importance of Internal Controls & Risk Management for Cannabis Companies

The importance and relevance of internal controls and the need for risk management solutions continue to be a priority for privately and publicly traded cannabis companies, as the industry faces increased regulatory and financial reporting requirements with limited resources. This can feel overwhelming, and a challenge made even more difficult by the increased complexity of financial reporting and the highly adaptable, ever-evolving business models.

Consequently, cannabis companies tend to look at internal controls and risk management through a compliance lens, where regulatory compliance drives a “we have to do it” attitude. As a result, companies find themselves being reactive rather than proactive to issues, which leads to lack of management buy-in, poorly designed internal controls, and uncertainty on how to prioritize risks. This is not sustainable and can result in significant and material issues which could impact a company’s ability to raise capital and deter potential investors.

Why Is Risk Management Essential?

Risk management involves understanding company objectives, identifying risks that can impede those objectives, and protecting against them; a system of internal controls is one of the fundamental methods by which risk is managed. Both are essential for all companies, regardless of size, to proactively help identify and manage threats and vulnerabilities, and reduce the likelihood that company objectives will be jeopardized by unforeseen events.

Risks can affect many areas of a company, such as strategy, operations, finance, technology, and the environment. Particularly, risks that a cannabis company may face stem from a variety of sources and include:

• High cost of capital
• Poorly executed merger or acquisition
• Unreliable accounting records (e.g., high volume of cash-based transactions, limited access to traditional banking, inventory tracking, etc.)
• Penetration and attack of IT systems by hackers (e.g., Cybersecurity vulnerabilities)
• System vulnerabilities and disruption to seed-to-sale platforms, point of sale systems, and accounting and ERP systems
• Breach of regulations and laws (e.g., HIPPA, SOX, etc.)
• Tax problems (e.g., 280E)
• Litigation risks
• Inventory and quality control issues
• Substantial reduction in financial and other resources (e.g., skills shortage)
• Physical disasters leading to interruptions of business and/or loss of records

Cannabis companies need to establish a risk-based internal control and risk management framework, which improves performance and drives a “we should do it” attitude. Being proactive and managing risks-to-objectives helps establish the right motives, including management buy-in, better-designed controls, and sustainable processes.

How Centri Can Help

A commitment to internal controls and risk management, which permeate across an organization, is how cannabis companies improve the quality of financial reporting and manage risk. If you have questions about or need assistance with establishing an internal control and risk management framework, identifying risks, or addressing potential vulnerabilities before they are exploited, contact Centri’s risk advisory and cybersecurity experts to learn more about how we can help you.

Nicole Ellis

Director | CCSA

Nicole is a Director at Centri Business Consulting. She has more than 8 years of experience in providing advisory services to a variety of industries, with an emphasis on internal controls and compliance. View Nicole Ellis's Full Bio

Rich Sowalsky

Managing Director | IT Risk & Cybersecurity Practice Leader | CISA

Rich is a Managing Director at Centri Business Consulting and the leader of the firm’s IT Risk & Cybersecurity Practice. He has more than 14 years of combined experience in internal control consulting, IT risk, cybersecurity advisory, and risk-based internal audits and accounting. View Rich Sowalsky's Full Bio