This article originally appeared in the January 2023 issue of Security Business magazine. When sharing, don’t forget to mention Security Business magazine on LinkedIn and @SecBusinessMag on Twitter.
After the November 2022 elections, there are 21 States and the District of Columbia where cannabis is fully legal for adult use and medicinal purposes.
Five states had proposals to legalize recreational marijuana on the ballot in the recent midterm elections. While voters in Maryland and Missouri approved legalization, similar proposals were rejected in Arkansas, North Dakota and South Dakota; however, the rejected proposals are widely viewed as only temporary setbacks in the broader legalization of the cannabis industry.
Notwithstanding the midterm elections, there is absolutely no doubt the cannabis market is growing and expanding. The size of the legal cannabis market was estimated to be $22 billion in 2020 and forecast to grow at almost 30% per year to approximately $100 billion in 2026. Sales volumes of cannabis products, new licenses granted, new and larger cannabis facilities being opened, license applications, and state government programs to support and enhance social equity in cannabis are all growing significantly.
The legal cannabis market is filled with many well-known business challenges and opportunities; however, two keys for business success in the cannabis industry – security and risk management – are not as well-known or understood among industry newcomers.
Two critical realities regarding licensed cannabis operators (LCOs) operating in the legal cannabis industry must be better understood and converted into opportunities.
First, most LCOs today operate with broken security models. In general, these models are very expensive, easily breached, operate as a disconnected patchwork, are often non-compliant, and they are often managed by personnel inexperienced with security. Second, most LCOs essentially have no risk management programs, and are paying considerable insurance premiums for extraordinarily limited insurance coverage. We generally refer to this state of being today as the cannabis security and risk management “status quo.”
Municipalities are suffering as well, with abandoned cannabis facilities, and abandoned licenses and license applications due to crime and the lack of law enforcement support.
A Broad Array of Security Challenges
LCOs face a broad range of challenges with respect to cannabis security and risk management programs; in fact, we have seen these challenges time and again with LCOs across the state of California and in other legal markets. Broadly, the three most important are costs, compliance and liability.
- Costs – Security and risk management programs annually cost LCOs literally anywhere from tens to hundreds of thousands of dollars more than they should;
- Compliance – Many of these security systems are non-compliant with state and local regulations; and
- Liability – Non-compliance and ineffective security systems result in additional liability for LCOs, including premises and negligent security liability, as well as potential personal liability for executive management, directors, investors and/or owners.
Regardless of license type (e.g., dispensary, indoor grow, distributor, etc.), or whether an LCO is a new market entrant or has been operating in the industry for a long time, their security challenges are essentially similar.
A few examples of these challenges include overly expensive guard services, vendor overbillings, commissioned sales of costly and non-
Additionally, LCOs face both known and unknown challenges related to vendor underperformance, poor response times, lack of communication, security matters consuming disproportionate LCO staff time vs. daily priorities, and as is the case with any patchwork multi-vendor system, they will each point fingers at others being the root cause of any problem.
In sum, LCOs are generally frustrated by and do not have answers for these security challenges, especially given the “status quo.”
Cannabis Risk Management
To explore risk management in the cannabis industry more deeply, it would help to quickly explain risk management in a broader sense. “Risk management programs” is a term used here to refer to overall risk management frameworks, principles, strategies, plans, designs, and so on. Risk management in this article will focus on traditional risk management (generally focused on safety and security or preventing an event or incident from reoccurring); enterprise risk management (forward-looking across the entire enterprise), and various forms of functional area risk management, such as cybersecurity, IT, operations, governance, financial, and others.
Most existing risk management programs do not apply to the cannabis industry; in fact, they will not apply for the foreseeable future. This is because the cannabis industry has multiple conflicts with traditional business practices. Below are 10 examples that would prevent mainstream risk management programs and approaches from being applicable:
- The industry is federally illegal;
- Interstate banking is prohibited;
- Many banks, insurance providers and other types of service providers will not accept LCOs as clients given concerns about federal penalties and actions being taken against them;
- Most medium-to-larger municipalities mandate that LCOs only operate in “green zones” which are generally located in the most dangerous areas with the highest crime rates and a low law enforcement presence; in fact, green zones are notorious “target-rich” environments for bad actors, who generally operate as one large crew, or in packs of crews, utilizing radios and lookouts in coordinated raids;
- Licensing regimes and regulatory requirements are diverse, even within a particular state, as it is with California;
- The illegal cannabis market continues to flourish with very limited enforcement and protections for LCOs;
- Third-party product and vendor service provider contracts mostly do not provide for reasonable allocations of risk/liability between LCOs and such vendors;
- The cannabis industry itself remains rated as one of the highest risk industries, even higher than biotech, resulting in correspondingly high insurance premiums (considered prohibitively expensive by many)
- Most cannabis insurance – including property and certain other policies – contain multiple exclusions, carveouts and specialized requirements for cannabis activities, security, and incidents (the net effect of which is LCOs have very limited insurance coverage and extraordinarily limited recoveries when incidents occur); and
- There is a general lack of transparency among insurance carriers with respect to sharing copies and details of third-party loss control risk assessment and inspection results, if such inspections actually occur by carrier policy or via a regulatory requirement, leaving LCOs largely in the dark regarding security matters and other areas for improvement, compliance and claims negotiation when security incidents do occur.
The cannabis industry must embrace a new paradigm for cannabis risk management for the foreseeable future, creating and applying techniques and tools in new ways. Based on our experience serving cannabis clients primarily throughout California and in other markets, we believe the core principles of a cannabis risk management program must be tactical and targeted at security, safety, regulatory compliance, and insurance, especially when considering the list of examples above, with a special emphasis on overcoming various “green zones” security and risk management challenges.
The objectives of such a tactical and targeted approach should be to significantly decrease total costs, reduce the risk of security breaches, and substantially decrease liability for LCOs, including essentially eliminating liability for executive management, directors, and investors individually.
Security Beyond State Regulations: Practical Realities
What constitutes cannabis security, and what does a cannabis insurance policy really cover? Cannabis insurance policies and cannabis security are very much interrelated and interdependent; thus, they must be managed proactively and must complement each other.
For far too long “security” in the cannabis space has been traditionally and simply defined as “cameras, alarms, security plans and regulations.” Similarly, “insurance” in the cannabis space is generally viewed as a check-the-box requirement, such as one required under a lease agreement, or something mandated by a Board of Directors. We see this all the time. Insurance brokers and underwriters are keenly aware of the risks of LCOs operating in “green zones” among other risk factors inherent to cannabis.
Regarding security, we often see LCOs “racing to the bottom.” They accept security proposals based solely on price, or worse, the cannabis operator bypasses security professionals entirely and attempts to piece together and manage a multi-vendor, store-bought security system.
Other LCOs do not push back and redline vendor contracts, or they blindly accept commission-based consultant recommendations on security system components without understanding that there are many other factors to consider when designing effective security solutions beyond a security plan, etc. – ultimately leading to much more expensive and less effective security.
Regarding cannabis insurance coverage, many LCOs accept whatever policy proposal and premium pricing their insurance broker can obtain without understanding, reviewing and/or negotiating the security requirements. They neither understand or explore alternative risk transfer solutions or obtain copies of third-party loss control inspection reports. They do not reconcile lease-related security requirements with insurance security requirements, leading to a much more expensive system and greater liability.
Unfortunately, many LCOs, their Boards of Directors, and investors are caught unaware and miss the opportunity to obtain cost effective and efficient security solutions at the onset on an operation.
Confronting and Disrupting the Status Quo: The Role of the Consultant and Integrator
The job of the security and risk management consultant is to look beyond the regulations and be proactive as possible in their approach to helping LCOs reduce total costs and liability related to cannabis security and insurance. That starts with thoroughly understanding the landscape – and the actual experiences, facts and circumstances related to each LCO client or prospect.
Consultants and integrators generally specialize in a particular aspect or component of cannabis security or cannabis risk management. Their core competency might be guard services, video monitoring, or preparing cannabis license applications. While each of these capabilities are needed products or services, they are not multi-vendor solutions addressing multiple or groups of LCO objectives and challenges.
Looking beyond the state regulations, thoroughly understanding the landscape and evaluating actual cannabis security and risk management problems related to an LCO client or prospect, means solutions are needed instead of stand-alone products or services.
More partnerships, alliances, vendor-independent teaming agreements and other forms of collaboration between and among consultants, integrators, vendors and services providers will be the future cannabis security model, with one of those partners ultimately being liable and accountable for the fully implemented LCO solution.
To further this goal, our consultancy has implemented customizable managed services offerings and service models to confront and disrupt the status quo with the consultant serving as a “general contractor” – or the proverbial “one throat to choke.”
These offerings and service models include managing all third-party vendors and service providers, which enables us to preserve overarching cannabis security and risk management objectives for the LCO, including budgetary objectives. In addition, the consultant now has the flexibility to manage multi-vendor solutions, including the deployment of cost-saving technologies, and implementing alternative risk transfer solutions.
By changing the fundamental approach to cannabis security and risk management, we have enabled our LCO clients to focus more on their core businesses, in addition to cost-savings, increased security, reduced liability, and other benefits.
