By Jeff Dingle

Much of the Cannabis business is new.  According to Steven Brooks, a Special Agent with the State of Arkansas, the Cannabis business is much like the Wild West.  “The business opportunities are rapidly expanding and growth is huge.  Unfortunately, a majority of the business focus is on growth and profit, and less effort is being spent on worrying about the problems that come with any business that is at a potentially high risk for loss.” Risk assessment gives YOU the opportunity to identify your weaknesses before someone else does, and the opportunity to fix your issues before someone can exploit them.

Cannabis is an attractive target for theft.  The value, inability to track/identify and the ease that it can be transported and sold on the black market increases the threat. The cash issues surrounding the Cannabis Industry add to the threat. Growth, expansion and cashflow are great, but success also makes you a target.

While it is impossible for any business infrastructure to be completely secure, it’s in your best interest to identify potential major vulnerabilities and threats to the organization.  Once the vulnerabilities and threats are identified, your security resources can be applied to solve specific problems.

This is accomplished by a Business Risk Assessment.

Business Risk Assessment helps decision-makers identify and evaluate potential risks to an organization’s mission so that countermeasures can be designed and implemented to prevent or mitigate the effects of those risks. A Business Risk Assessment can be accomplished internally, or there are businesses that specialize in helping you to do this. It may be beneficial for you to look at an unbiased third party, a new set of eyes may see things that you might overlook.

Risk is typically defined as the possibility, probability, and consequence of an adverse event.  Big words, but the idea is to identify the bad things that MIGHT happen and make an effort to keep them from happening.  We first need to recognize the difference in POSSIBILITY and PROBABILITY. Possibility is yes or no, black or white. Either an event is possible or it is not. An earthquake is possible. Probability is the LIKELYHOOD that the event will happen. The greater the likelihood, the more concerned we are. While an earthquake is possible, in most areas an earthquake in unlikely. Theft is possible, and the likelihood of theft is based on several factors. Based on your location and organizational structure, the likelihood of theft may run from very small to significant.

The next step is to determine the consequences of an adverse event. In other words, if a possible adverse event happens – what is your loss?

Most sources model risk in the security area only if the following are present: A specific threat, a vulnerability in the asset or system, and an adverse outcome associated with consequence.  If an event is possible and probable, but there is NO adverse consequence or loss, then there is no reason to expend resources to prevent it. Additionally, if the potential loss is minimal, only minimal resources should be expended, if any. The greater the likelihood and consequence, the greater the resources should be dedicated to prevention.

Alternatives evaluation

Risks can be reduced by preventing or mitigating their impact. Countermeasures should be evaluated to determine the extent to which threats can be reduced. Countermeasures are measured in terms of monetary costs, although other costs may be included. Benefits are usually measured in terms of the risk reduction they provide, or the decrease in vulnerability.

The goal is to select the countermeasure option(s) that reduce risk to an acceptable level, at the lowest cost.

Evaluation and application of countermeasures will depend on preference and judgment of the decision makers, the risk tolerance of the decision makers and the level of comfort with various levels of risk. Fiscal and other constraints may affect the willingness to expend resource on countermeasures.

It is important to note that preventive measures may be used to protect against things that might never happen.  There can be difficult decisions to make when the probability is low, but the consequence is high.

RISK ASSESSMENT PROCESS

There are several assessments that combine to make a Business Risk Assessment. The risk assessment process is basically very simple. Understanding your risk is the first step to making adjustments to keep your loss at a minimum, which protects your profits.

Risk Assessment considerations include the full range of events potentially confronting the site or assets to be protected, the consequences of loss or compromise, and what equipment and techniques might be necessary to deter or prevent such events.

By definition, a THREAT is an act or condition that may result in loss or destruction of property, the compromise of information, loss or life, damage or disruption of the business. A Threat Assessment is an attempt to identify relevant threats, and to characterize their potential risk. What are we protecting against?

A Vulnerability Assessment involves the identification of weaknesses and vulnerabilities in your system. Identify threats against your business. We need to search out our weaknesses and fix them BEFORE we have an issue. WE are in the best position to know what our vulnerabilities are. We need to find our vulnerabilities before our adversary does. Where are your weaknesses? Think like a thief – how would YOU steal from you? How good is your security? How well are your security people trained?

A Criticality Assessment is an attempt to systematically identify and evaluate an organization’s assets by the importance of its mission or function, individuals at risk, or the significance of a structure. We first protect the things that are most valuable to us, but we need to know what they are…

The Vulnerability Assessment process consists of gathering of the data necessary to conduct a thorough analysis of the physical and operational environment in which the security system must operate, and the threats offered against it.  Are you worried about robberies?  Internal thefts?  Product tampering?  Looting during protests?  Take time to honestly look at all the possible threats, regardless of probability. Once the threats are identified – probably is assessed.

Risk Management

How do you manage your risk? There are five methods to manage the risk you identified.  Acceptance, avoidance, reduction, spreading and transfer.

Acceptance – as a cost of doing business.  Retailers such as WalMart have an “Acceptable level of loss”.  These companies understand that theft is a part of a large company doing business, and they acknowledge that the cost to prevent some theft is greater than the value of what is stolen. They simply accept that there will be loss.

Avoidance – by removing threatened assets. Training helps you to identify your assets that need to be protected, and sometimes the answer is move product to a more protected area. Have you ever tried to buy the “good” decongestant at a drug store? There is no product on the shelf – instead there is a card on the shelf. You take the card to the counter and your merchandise appears from behind the counter. High value equals high theft. Same thing happened recently when trying to purchase printer ink from a big box office supply store.

Reduction – by minimizing threatened assets. Minimizing threatened assets works well with cash. The use of drop safes and time locked safes move accessible cash out of the way. On-line or catalog sales are a good example as well, but not always a good business decision. Buyers want to see/touch what they are buying.

Spreading – spreading the risk by hardening the target. This makes the target harder to get.  Increasing security hardens a facility.  Adding or increasing access control, camera systems and other security systems cost money, but ideally the long-term cost is significantly cheaper than the long-term loss.

Transfer – to consumer, or insurance – Transferring risk simply redirects any loss you have to consumers or insurance. Recovering loss results in higher prices to consumers, or higher prices to consumers to cover your increased insurance premiums. Again, quality training helps to identify problems and correct them.

Lastly, Business Risk Assessment is not a one-time event.  Risk and threat can change, so it’s important to regularly update your risk assessment process.

Risk assessment will without question provide a return on investment.  Identifying potential loss and taking steps before the loss occurs will ALWAYS benefit your operations.