Does your business need a security risk assessment?
As the cannabis industry moves toward the mainstream, it may be time for growers, retail establishments and laboratories to consider formal physical security risk assessments. These assessments provide a way to identify large-scale risks to a company — from criminal threats and supply-chain tampering to consumer confidence and brand protection. They also address in-house issues like employee theft and inefficient practices that lower profits or increase costs. The key is finding ways to make a business safer while also protecting the culture that made it successful in the first place.
Unfortunately, there is not one standard for security risk assessments across most industries. For some business owners the security goals are simple, like meeting the local requirements necessary for licensing and permitting. But more developed industries know that security investments bring cost savings and safety benefits and can even provide long-term protection for brands.
The security standard in the cannabis industry is still evolving, with medical marijuana focusing largely on health care safety and security precautions, while the recreational market is still looking to define both its risks and its security comfort zone. In this time of uncertainty, it is important to understand which parts of your business you don’t want to change, particularly when focused on customer experience.
A comprehensive security plan serves many purposes, including keeping employees and facilities safe, protecting financial transactions and product inventory, providing peace of mind to customers and creating a stable business environment able to support sustainable growth. If a business has been robbed or appears to have lax security precautions, customers start to wonder about their personal safety when visiting the establishment. They might also question the safety of the product itself. Once lost, consumer confidence can be nearly impossible for a small- to medium-sized business to regain.
Take one high-profile example: In the 1980s Tylenol was associated with several murders when someone tampered with the product somewhere in the supply chain. This case resulted in a new focus on over-the-counter drug safety and new regulatory requirements to try to keep the public safe. Tylenol estimated it took more $100 million dollars to bring its brand image back to normal. That’s money that a company the size of Johnson & Johnson may have to spend, but a figure that most business owners would struggle to cover, especially with an uncertain outcome.
In another instance, Coca-Cola had a product health scare in the late 1990s in Belgium and France which led to a massive product recall and an erosion of public trust in the integrity of the product. At the time, Coca-Cola could not estimate the brand damage done by what were potentially innocuous issues impacting their supply chain. One issue was related to CO2 and the other had to do with the chemical treatment of some of the pallets used by the company in one of its factories. After a few months, consumers were back to buying Coca-Cola at the same rate as prior to the crisis, but this incident cost approximately $200 million in expenses and lost sales. Shortly after this crisis was resolved, the CEO resigned.
Large companies like Tylenol and Coca-Cola may be able to weather these kinds of public relations storms but most small businesses who experience something like this lack sufficient resources to survive. This is even more true in a fledgling and more controversial space like cannabis. No one suggested that soda or over-the-counter medications should be banned after these incidents. But the cannabis industry hasn’t yet earned that level of public comfort.
Today the industry relies on a complicated supply chain to be in compliance with state and (most) federal regulations regarding zoning, growth, transportation, delivery and sales. Consistency and product safety are critical to the protection of individual brands in this market, as well as the long-term success of the industry. The complex regulatory framework makes this especially challenging.
Even companies with established physical security programs are starting to request complete threat, vulnerability and risk assessments (TVRAs) as part of their “cost of doing business.” These assessments look at the general and unique threats, vulnerabilities and risks to each cannabis-related business. This type of assessment helps to drive discussions around security procedures and provides a much-needed layer of comfort to the business owner and the customer.
In short, a TVRA determines what you need to protect, what happens if you don’t protect it, and how you can more efficiently protect it so that you can focus your finite resources on the areas with the most potential business impact. Risk scoring is used to try to quantify a numerical value to help make results easier to read, compare and understand. Data is collected from open sources, public sector sources and, of course, the business itself to help determine the threats, vulnerabilities and risks of the company within the overall industry and environment.
Typical threats include but are not limited to: known criminal entities who target similar operations, angry former customers and disgruntled employees. They can also be based on the type of business or a specific operation’s practices and location. Once threats are identified, a credibility score is derived based on factors including proximity, level of detail, resources, true motive and actionability of threat. For instance, bomb threats are often called into businesses but they are unable to make a credibility determination without collecting details about the caller and a level of knowledge about the threatened site.
Conversely, employee theft may be a constant, credible threat for any retail business, warranting mitigation in any formal security plan.
Once threats are identified, it is important to focus on the potential impact of each type of threat on a relative scale. Vulnerability is the organization’s ability (or lack thereof) to anticipate, recover from or withstand a natural or man-made event. Attractiveness of the “target” and defense strategies in place are typically used to figure out the level of vulnerability.
Risk is quantified by multiplying Vulnerabilities (V) of a particular item by Potential Impact (PI). Typically, the most focus is put into the highest impact risks and the most vulnerable risks.
Once these elements are completed for all the essential business functions, facilities and other high-impact areas of the business, an analyst makes an overall report of the current state, often including mitigation recommendations in an assessment. Some elements that should be considered as part of a thorough assessment include physical facilities, intellectual property, supply chain, product quality control, cash management, employee protection and employee screening. A professional assessment will also take into account the company’s culture and expectations in any recommendations made.
Many cannabis businesses are focusing on physical security models that allow for a relaxed customer experience (which, for this market, is nearly a cultural imperative) with controls for safety and security in place behind the scenes. It’s the “theme-park” model: guests see a wonderland experience while the staff works tirelessly behind the scenes to make sure everyone is safe.
As the industry grows, we will see businesses continue to leverage experts to help them manage their supply chain, assess risks and protect their facilities, people and brands. Building higher fences, hiring more guards and adding more cameras may not be enough to mitigate the true risks the industry faces now and in the future.
While many security professionals may help provide security mitigation strategies, few will be able to do so with a true focus of helping you protect the culture and feel of your business. When determining who to work with, I suggest engaging with businesses that focus on both.
Brian Katz is the CEO of Lighthouse Global Solutions, a security consultancy. He has spent almost 20 years in the public and private sectors of the security industry including as a special agent for the U.S. Department of State, Diplomatic Security Service and most recently as director of global investigations, intelligence, protective services and aviation for Google. He provides security consulting, develops training, conducts program reviews and risk assessments for companies from startups to Fortune 500 businesses.