The legal cannabis industry is emerging from decades of nationwide prohibition, even if only on the state level for now. The highly regulated nature of this newly legal industry means compliance is especially important for cannabis entrepreneurs, but what exactly does that mean? This guide offers expert insights on why compliance is key in cannabis and how your business can ensure it stands up to evolving regulatory frameworks and industry standards.
What is compliance?
Compliance refers to an organization’s adherence to regulatory requirements and industry standards. These include laws and regulations from government agencies, as well as guidelines like International Organization for Standardization (ISO) standards or Good Manufacturing Practices (GMP). Compliance serves to demonstrate that a company is operating in a legal manner that takes quality assurance into account, giving regulators, partners, and consumers confidence that they can trust in the products and services a business provides.
Why is compliance important?
Compliance not only demonstrates an organization’s commitment to quality and establishes a strong reputation, but also prevents it from becoming subject to lawsuits and fines. For cannabis businesses, compliance is especially important as the industry is highly scrutinized. According to Jason Thomas, founding partner at Precision Quality and Compliance, adherence across every facet of a business’s operations – from quality assurance to risk management to governance – is “the most critical function in cannabis.”
“Without it, wealth generation and social equity discussions go away. We won’t have a business to pass on if we don’t adhere to compliance,” Thomas said. “We’re already seeing it affect businesses with violations and fines from the NJ [Cannabis Regulatory Commission].”
As east coast markets like New York and New Jersey come online and regulators establish the requirements by which cannabis businesses must operate, entrepreneurs should be focused on establishing strong foundations that set them up for success in the long term, Thomas said.
“Cannabis and hemp play at the cross-section of industries like pharma, food and beverages, food supplements, medical devices, energy, and technology,” Thomas said. “Pulling regulatory standards from these industries into this emerging space … is what the [Food and Drug Administration] (FDA) and international governing bodies will expect.”
What does it take to be compliant in the cannabis industry?
It might sound like a tall order to consider the compliance standards impacting such a diverse range of spaces, but that’s what it will take for cannabis companies to survive and thrive in a global, regulated industry. According to Thomas, this means establishing a sprawling set of compliance standards that impact everything from the way you deal with partners to the way you train your personnel to the way you make products or deliver services.
“Compliance is a differentiator,” he said. “GMP certified companies will get better deals, more shelf space, and have a competitive advantage. It all comes down to project management and having the right skills on your team.”
Contractual compliance covers the supply chain your business works with, including the type of contracts and termination agreements you have in place with partners. No cannabis business works alone. Cultivators will have to partner with packaging companies, for example, while dispensaries need to rely on growers and manufacturers to obtain products. Who you work with can impact your overall compliance and quality assurance, so having the right controls, documentation, and processes in place is essential to protecting the reputation of your business.
Operational compliance is a wide-ranging category that touches all aspects of a business, including accounting, human resources, and quality assurance. Ensuring operational compliance means planning for things like social equity rules and tax rules like adhering to the Internal Revenue Service’s (IRS) Section 280E.
Operational compliance also includes considerations like Occupational Safety and Health Administration (OSHA) guidelines and workplace safety. This is especially important in manufacturing, Thomas said, as cannabis manufacturers often work with potentially hazardous or flammable chemicals.
Thomas recommended creating standard operating procedures (SOPs) for each department to serve as guidelines on how to remain compliant with existing regulatory requirements and industry standards, then hiring internal auditors to put those SOPs to the test.
Technology and data compliance refers to an organization’s cybersecurity standards and how they respond in the event of a data breach. In the age of consumer data privacy laws like the European Union’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA), organizations are responsible for protecting consumer data and alerting users when their information may have been compromised.
Establishing an IT team dedicated to data security and cyberattack response planning, as well as a system for monitoring vulnerabilities and threats, is an important part of compliance even for companies that don’t consider themselves tech-centric. Most businesses accept customer payment information, for example, making them a primary target for hackers whether they are technologically focused or not.
Your compliance program is only as good as your personnel adhering to the SOPs you develop. Ensuring that your new hires are given a thorough explanation of the rules governing their role and why they’re in place – as well as the processes they must adhere to so you can document ongoing compliance – is key to making sure your SOPs are carried out in the workplace.
“Train your people and take care of your people,” Thomas said. “There’s something to be said about having continuity in staff that’s well-trained.”
Consider employing a training manager who oversees the onboarding of new recruits. This person can make sure staff is fully equipped to do their jobs within the confines of the compliance plan you’ve established.
Tips for cannabis business compliance
The following tips can help cannabis businesses develop a comprehensive compliance plan that gets them started on the right foot, even as regulations emerge and evolve.
Know your business model
A common mistake when it comes to compliance planning, Thomas said, is that entrepreneurs are so laser-focused on licensing they forget to thoroughly develop their business model.
“You need to pick a license type, but you should also get more refined,” he said. “You want to be a processor, but what type of processing? Are you making beverages, extracts, or something else? There are different staffing needs, formulation, training for each of these business models.”
Establish a timeline
When thinking about compliance, it’s important to develop a detailed roadmap, Thomas said. This roadmap should include milestones that you target as your business plan rolls out — don’t worry, this roadmap can be adjusted as needed, but it’s important to have one in place.
“You should know when to hire a lawyer, when to hire accounting,” Thomas said. “What are your dependencies, like investors or lending? It’s a living document, but it’s all about that timeline.”
Don’t reinvent the wheel
In most cases, you can make important inferences about the regulatory framework that will impact legal cannabis by looking at other highly-regulated industries and the businesses operating within them.
“Copy frameworks like biotechs and big pharma,” Thomas said. “That will make it easier to slide compliance programming into the regulatory framework and execute it.”
He also recommended looking at what’s worked and what hasn’t in state markets that legalized cannabis earlier to avoid the same pitfalls as other businesses.
“Look at different markets and how to avoid their issues. We’re in a unique position to stand the east coast market up faster,” he said.
Consider facility design
When establishing a facility, it’s important to think ahead. Even if the current regulatory framework doesn’t require considerations like ISO standards or GMP certification, you should design facilities with these likely future requirements in mind. Thomas gave the example that cannabis manufacturers should adhere to the ISO22000 standards used for food safety management, even if it’s not currently a regulatory requirement.
“If you build a manufacturing facility that doesn’t meet ISO22000, and a regulatory body says at a later point in time you have to be certified, you’ll need to stop manufacturing, retrofit your facility, establish new compliance controls, and you’ll be out of business,” Thomas said. “What small business can weather 12 months out of business?”
Thomas advised starting to implement ISO9001 standards now and incrementally building out a facility.
“You can put ISO22000 on top of that, and it makes GMP easier to adopt later,” he said.
Vet your partners
Compliance doesn’t start and end with your organization. It extends to your entire supply chain. When building your supply chain and choosing partners to work with, vet them fully to understand their own compliance and quality assurance processes. Trust your partners to operate to the same standards as your team.
“Partners are critical,” Thomas said. “Put yourself in a consumer’s or patient’s shoes: If I purchase something grown by a great cultivator but processed by a shoddy manufacturer, the product is not quality. Consistency in the supply chain and being able to depend on your partner operators is paramount.”
Never stop working on compliance
Compliance is an ongoing process. Just because an organization is compliant at a moment in time doesn’t mean they will remain that way in the future. Creating a situation where your compliance SOPs are continuously reviewed and updated while your operations are subjected to internal audits will ensure you remain compliant consistently.
“[Big pharmaceutical companies] spend millions training and incentivizing their people; they have lots of people monitoring compliance and making changes daily,” Thomas said. “Take what works about that kind of strategy and scale it down to your business.”
Compliance is comprehensive
Ongoing compliance at every stage of your operations and throughout your supply chain is critical to protect the longevity of your business and the quality of your products and services. Although the race to secure licensing and real estate is top of mind for everyone, only the operators who do so with compliance in mind will survive the maturation of the legal cannabis industry, when agency regulations, ISO standards, and GMP certification become the norm. Ask yourself whether your business has a comprehensive compliance plan in place, and if not, begin working today to establish one.