As a newly developing industry, the legal cannabis market is filled with many unique business challenges and opportunities. Two keys for business success in the cannabis industry – security and risk management – are not as well-known or understood among industry newcomers and seasoned professionals. With these keys in hand, licensed cannabis operators (“LCOs”) are better positioned to convert two of the industry’s top issues into opportunities: the prevalence of broken security models and a lack of risk management programs.
Most LCOs today operate with broken security models. In general, these models are expensive, easily breached, operate as a disconnected patchwork, are often non-compliant, and are managed by personnel inexperienced with security. Many additionally have no risk management programs and pay considerable insurance premiums for extraordinarily limited insurance coverage.
Private businesses aren’t the only ones smarting from the current state of the industry; municipalities are suffering too. Abandoned cannabis facilities, licenses and license applications due to crime and the lack of law enforcement support have further reduced taxes and fees, disrupted social equity programs, and increased liability for LCOs, including potential personal liability. The legal commercial cannabis community, operators, investors and others have expressed their growing discontent and lack of confidence in city officials addressing these issues.
We generally refer to this state of being today as the cannabis security and risk management “Status Quo”. By understanding the realities of the state of security in the industry and taking steps to plan around those realities, LCOs can ‘win out’ over the status quo and expect far better business outcomes.
A Broad Array of Security Challenges
LCOs face a broad range of challenges with respect to cannabis security and risk management programs, a fact we have seen time and again with LCOs across the state of California and elsewhere. Broadly, the three most important are costs, compliance, and liability.
- Costs – Security and risk management programs annually cost LCOs anywhere from tens to hundreds of thousands of dollars more than they should;
- Compliance – Many of these security systems are non-compliant with state and local regulations; and
- Liability – Non-compliance and ineffective security systems result in additional liability for LCOs, including premises and negligent security liability, as well as potential personal liability for executive management, directors, investors and/or owners.
Regardless of license type (e.g., dispensary, indoor cultivation, distributor, etc.), or industry experience, most LCO security challenges are essentially similar. A few examples of these challenges include costly guard services, various vendor performance issues and disputes causing costly errors or failures, and no product or service warranties.
These vendor performance issues and disputes represent a disproportionately large percentage of the problems attendant to most security systems. LCOs face challenges related to vendor underperformance, poor response times, lack of communication, and a general lack of accountability. All of this adds up to security matters consuming disproportionate LCO staff time versus daily priorities.
In sum, LCOs are generally frustrated by and do not have answers for these security challenges, especially given the above described “Status Quo”.
Cannabis Risk Management
“Risk management programs” are what security experts refer to overall risk management frameworks, principles, strategies, plans, designs, and so on. There are generally three different types of risk management programs:
- Traditional risk management – Generally focused on safety and security or preventing an event or incident from reoccurring
- Enterprise risk management – Forward-looking across the entire enterprise
- Functional area risk management – specific areas of risk management, including cybersecurity, IT, operations, governance, financial, etc.
Existing risk management programs do not apply to the cannabis industry; and in fact, they may not apply for the foreseeable future. This is because the cannabis industry has multiple conflicts with traditional business practices, including:
- The industry is federally illegal.
- Interstate banking is prohibited.
- Many banks, insurance providers and other types of service providers will not accept LCOs as clients, especially those with interstate operations, given concerns about federal penalties and actions being taken against them.
- Most medium-to-larger municipalities mandate that LCOs only operate in “green zones” which are generally located in the most dangerous areas with the highest crime rates with low law enforcement presence.
- Licensing rules and regulatory requirements are complex and burdensome.
- The unlicensed cannabis market continues to flourish with very limited enforcement and protections for LCOs.
- Third-party product, vendor and service provider contracts mostly provide for very unreasonable allocations of risk/liability.
- The cannabis industry itself remains rated as one of the highest risk industries, resulting in correspondingly high insurance premiums (considered prohibitively expensive by many).
- Most cannabis insurance – including property and certain other policies – contain multiple exclusions, carve outs and specialized requirements for cannabis activities, security, and incidents (the net effect of which is LCOs have very limited insurance coverage and extraordinarily limited recoveries when incidents occur).
- There is a general lack of transparency between insurance carriers with respect to sharing copies and details of third-party loss control risk assessment and inspection results.
In order to overcome these unique hurdles, the cannabis industry must embrace a new paradigm for cannabis risk management for the foreseeable future, creating and applying novel techniques and tools. Based on our experience serving LCOs throughout California and other markets across the country, we believe the core principles of a cannabis risk management program must be tactical and targeted toward security, safety, regulatory compliance, and insurance.
Another major objective of a tactical and targeted approach should be to significantly decrease total costs. This includes reducing the risk of security breaches, and substantially decreasing liability for LCOs, including potential personal liability for executive management, directors, and investors.
Security Beyond State Regulations: Practical Realities
Cannabis insurance policies and cannabis security are very much interrelated and interdependent; thus, they must be managed proactively and complement each other. This begs the question: What is cannabis security, and what does a cannabis insurance policy really cover?
For far too long, “security” in the cannabis space has been traditionally and simply defined as “cameras, alarms, security plans and regulations.” Similarly, “insurance” in the cannabis space is generally viewed as a check-the-box requirement, such as one required under a lease agreement, or something mandated by a Board of Directors.
We see the latter example all of the time. Insurance brokers and underwriters are keenly aware of the risks of LCOs operating in “green zones” among other risk factors inherent to cannabis.
We also often see LCOs “racing to the bottom” when it comes to security. Many accept security proposals based solely on price, or, worse still, bypass security professionals entirely and attempt to create and manage their own security system.
Less thrifty LCOs, on the other hand, prematurely jump into vendor contracts or accept commission-based consultant recommendations on security system components without doing due diligence. There are many other factors to consider when designing effective security solutions beyond a security plan, etc., and acting too quickly can ultimately lead to much more expensive and less effective security.
Similarly, many LCOs accept whatever insurance policy proposal and premium pricing their insurance broker can obtain without understanding, reviewing and/or negotiating the security requirements. Most neither understand nor explore alternative risk transfer solutions, or obtain copies of third-party loss control inspection reports. They also do not reconcile lease-related security requirements with insurance security requirements, leading to a much more expensive system and greater liability.
Unfortunately, many LCOs, their Boards of Directors, and investors are caught unaware and miss the opportunity to obtain much more cost effective and efficient security solutions.
Confronting and Disrupting the Status Quo: The Role of the Consultant and Integrator
The job of the security and risk management consultant is to look beyond the regulations and be as proactive as possible in their approach to helping LCOs reduce total costs and liability related to cannabis security and insurance. That starts with thoroughly understanding the landscape – and the actual situation and circumstances of each LCO client or prospect.
Consultants and integrators generally specialize in a particular aspect or component of cannabis security or cannabis risk management. Their core competency might be guard services, video monitoring, or preparing cannabis license applications, each of which are necessary products or services.
Unfortunately, they are not multi-vendor solutions that address wider spectrums of LCO objectives and challenges. When we refer to looking beyond the regulations, thoroughly understanding the landscape, and evaluating actual cannabis security and risk management problems related to an LCO client or prospect, we strongly believe more complete solutions are needed – not stand alone products or services.
More partnerships, alliances, vendor independent teaming agreements and other forms of collaboration between and among consultants, integrators, vendors and services providers will be required in the future with one of the partners ultimately being liable and accountable for the implemented LCO solution.
We believe confronting and disrupting the Status Quo requires a single security solution provider to act as a “general contractor” that coordinates each individual piece and vendor of the security system. General cannabis security contractors acting as ‘where the buck stops’, in other words, is the future of “cannabis security”.
These general contractors would offer service models that include managing all third-party vendors and service providers and would have two primary objectives in their operations. First, preserve overarching cannabis security and risk management objectives for the LCO, including budgetary objectives. Second, maintaining the flexibility to manage multi-vendor “solutions”, including the deployment of new cost-saving technologies, and implementing alternative risk transfer solutions.
Cannabis Compliant Security Solutions