While you may not have heard of CannTrust Holdings so far, that is now about to change. A summer spectacle of double dealing and corporate greed has put this Canadian cannabis company on the global map.
Unfortunately, the current meltdown underway is indicative of more to come.
A Summary Of The Story So Far
CannTrust, a company which serves 72,000 Canadian patients and got into the game early, decided to do what it saw other companies doing all around them. That covers a lot of ground (good and bad at this point). Regardless, the most relevant recent twist to the saga came when the company hired a new CEO, Peter Aceto last October.
Aceto however, along with the now also fired co-founder and chair of the board Eric Paul, decided to continue growing and harvesting unlicensed product. Worse, this occurred while boasting in public of their productivity gains on the way to securing a hefty investment of capital this spring. $170 million. The grow rooms finally got their certification in April.
What is even more embarrassing however, is that this was a round led by the much-vaunted investors the industry has been courting assiduously for the past several years. Specifically, in this case? Institutional banks like Bank of America, Merrill Lynch, Citigroup, Credit Suisse Securities and RBC Capital Markets.
But that is “just” the North American hemisphere. The rather unfortunately named CannTrust (certainly at this point) also had a European footprint – notably Denmark. Unlicensed cannabis ended up there too, of course. Stenocare A/S, the company at the receiving end of the same, reported receipt of product from the unlicensed rooms on July 4.
As far as such things go, however, you have to give it to CannTrust company executives. In terms of setting standards if not benchmarks and “records”, they certainly seemed to have set a few, although probably not the ones they aspired to. If not, with certainty, their investors.
A Surprise Or Inevitability?
That said, for many who have been sounding warnings for at least a year, the 2019 Summer of Canadian Cannascandal is certainly starting to confirm what many have been saying for quite some time. This is not the first time a securities exchange, for one, has sounded the alarm. Deutsche Börse delisted the entire North American public cannabis industry last summer briefly. Then they revised their policy, reluctantly, after Luxembourg changed its stance on medical use. That said, they are still watching with a standing policy of bouncing any company that runs afoul of their rules.
The problems, issues and more bubbling at the center of this cannameltdown, in other words, are not limited to just one company or country.
And everyone knows it.
Accounting For Past Mistakes
For those who are counting, the value of all of that illegally grown CannTrust product is not insignificant. Estimates are floating in the CA$50-70 million range. The problem is, of course, nobody is sure what numbers to rely on. CannTrust employees knowingly provided inaccurate information to the new CEO if not regulatory body until a whistle-blower provided a few more details.
That said, for all of the hullabaloo, one thing this story also does is point a bright spotlight on the lax enforcement of even this pretty easy-to-understand regulation.
The question, however is, if CannTrust thought it could get away with this kind of blatent flouting of the rules, if not lax oversight, are there any other companies who might have also done similiar things?
After all, even the pesticide scandal of 2016 did not occur at just one company either.
Where Are The Proceedings?
This is a rolling story, which began to break at the beginning of last month when Health Canada issued a non-compliance order to CannTrust and impounded 5,200 kg of dried cannabis that was apparently grown in unlicensed grow rooms on July 3.
There have already been some jaw dropping revelations so far (beyond the executive decision to even go down this road in the first place) no matter how attractive pimping numbers was. Starting with things like fake walls being erected to hide the grow. And then of course pictures that have been all over social media of late, of the now departed CEO Aceto being photographed directly in front of said unlicensed rooms too.
As a result, the drama has continued to unfold in a highly predictable way.
By August 1, CannTrust Holdings, a Canadian cannabis company listed on both the New York and Toronto stock exchanges, was facing a “quasi-criminal investigation” by the Canadian Joint Serious Offenses Team. This is a coalition of law enforcement agencies including the Ontario Securities Commission, the Royal Canadian Mounted Police Financial Crimes Unit, and the Ontario Provincial Police Anti-Rackets Branch.
But CannTrust’s issues don’t end there. This is an international story that is just beginning. Government regulators in Europe if not elsewhere are paying attention.So are shareholders, and their lawyers.
Unlike the food industry, the cannabis industry is still in its infancy. Which means there is not a push from retailers demanding cannabis farmers, extractors or manufacturers to get third-party audits. In fact, most grow operations supply into their own dispensaries. So why should a cannabis farmer, extractor or manufacturer get a third-party audit? Third-party audits are crucial to maintaining product safety and quality by providing a third set of eyes to verify what is working and what is not. Besides regulatory requirements and customers requiring your facility to get a third-party audit, there are numerous other benefits to receiving an audit. Some of these benefits include:
Improvement to product safety
Improvement to product quality and consistency
Meeting regulatory compliance
Eliminating potential risks and possible recalls
Marketing advantages over competitors who are not audited by a third-party
Improvement to consumer confidence and an increase to brand loyalty
How to Prepare for a Third-Party Audit
Working for a certification body, I am in the unique position to see numerous sites go through the certification process. In this position I have seen both extremes: Sites that spend 6-8 months and a lot of resources preparing for an audit, as well as sites that wait until the day before to even look at the audit standard. Unfortunately, the latter is almost always going to fail the audit. Here are seven steps for preparing for your next third-party audit.“By failing to prepare, you are preparing to fail.”– Benjamin Franklin
Start Preparing Early
Think of your third-party audit as a college exam one month away. You could start studying for the exam now and get a real understanding of the material or you could wait until the day before to start your no-sleep, energy drink-fueled, 24-hour cram session. We all know which preparation method will get a better score on the exam. Now let’s apply that same strategy to your third-party audit. Once you have decided what audit is best for your site and have those specific standards in your hand, the clock starts ticking and you should already be preparing for the audit, whether it is one month or six months away.
Get Management Commitment
It is essential to the entire cannabis safety and quality system to have commitment from top down. Without this, the site will not get the resources (people, equipment, money, time, etc.) they need to pass a third-party audit. Management commitment is so important that it is often seen as its own section in most modern audit standards. It is very easy for third-party auditors to identify when there is a lack of management commitment in a site. Therefore, if you don’t get management commitment, then you are already starting off the audit on a bad note.
Create a To-Do-List
Think of the entire audit checklist or standard as your long to-do list. Some things, like attaining a certificate of analysis (COA) from a supplier, may only need to be done annually. While other things, such as ensuring employees are following Good Manufacturing Practices (GMPs), will need to be done continuously throughout day to day operations. Go through the audit checklist and separate what needs to be done annually, semiannually, quarterly, monthly and continuously throughout day to day operations. This will give you a list with all of the frequencies of each different requirement.
Teamwork“Teamwork makes the dream work, but a vision becomes a nightmare when the leader has a big dream and a bad team.” – John C. Maxwell
The preparation of an audit should never rest on the shoulders of one person. Yet this is something I tend to see too often in both food and cannabis facilities alike. Your site should establish a cannabis safety and quality team of multidiscipline personnel that have an impact on product safety and quality. Once the team is established, various tasks from the to-do-list can be disbursed among all the members of the team. Collaboration is key to successfully preparing for a third-party audit, especially when the timelines are very stringent.
Training is essential to preparing for your third-party audit. This is what closes the gaps between what the safety and quality department have developed and what your front-line employees are applying. All employees should know what part of the audit standard applies to them. Additionally, employees should be trained on interview questions that the auditor might ask them during the audit. Helping them prepare for these types of questions will help ease their nerves and allow them to answer the questions with self-assurance when it comes time to the actual audit.
Conduct Internal Audits
Conducting internal audits is not only a great way to prepare for your third-party audit, it’s a requirement. You should always use the audit checklist to observe your documents and facility to see where there are gaps. If possible, the person or team conducting the internal audit should never review their own work. Additionally, all issues or non-conformances should be noted, evaluated, corrected and closed out.
Third-Party Pre-Assessment or Mock Audit (Optional)
A third-party pre-assessment or mock audit is the closest thing you can get to an actual audit. This is where a company would come in and evaluate your site to the specific standards and give a formal report over any deficiencies found during the assessment and how to fix them. This is a great way to test your preparedness before the actual audit.
When it comes to compliance for cannabis startups, the ISO 9000 family of standards reigns supreme. Providing the guidelines for the concepts that make up a quality management system (QMS), the ISO family is composed of five standards: ISO 9000, 9001, 9002, 9003 and 9004. Outside of ISO 9001, ISO 9000 is the most important because it creates the foundation that guides all of the other standards.
ISO 9000 is split into two sections: fundamentals and vocabulary. Fundamentals covers the basic principles of quality management and the vocabulary section is a dictionary of quality management terminology. ISO 9000 is crucial because it provides direction on proper QMS implementation that will lead to achieving an ISO 9001 certification.
While the entire ISO 9000 family is focused on quality management systems that aim to help organizations “ensure that their products and services consistently meet customer’s requirements and that quality is consistently improved,” ISO 9001 is the only standard that lists actual requirements and requires certification.Cloud-based quality management software provides the flexibility and scalability, that cannabis startups need to comply with ISO 9001
Quality Management Systems (QMS)
When conceptualizing “quality management,” it is best to think of it as an organization’s definition of how it will meet the quality requirements of customers and other stakeholders who are affected by its work. Implementing this requires an extensive alignment of company processes and procedural governance.
It’s easiest to think of a QMS as the facilitator of outlined processes that are required to fulfill ISO 9001 requirements. For example, if an organization has defined a change request process, it could use a cloud-based QMS to put that process in place. However, the benefits of a cloud-based QMS don’t have to end at ISO 9001. It can also help organizations comply with other regulations like GxP.
ISO 9001 Requirements
ISO 9001 requirements can sound very generic because they’re meant to be applied to any organization, big or small, in any industry. The key to ISO 9001 is the concept of continuous improvement, which is why specific requirements for what “quality” is are not defined. Rather, companies must create objectives and work toward improving processes to meet those objectives. That said, a certified QMS still must do the following:
Meet the requirements of other stakeholders, for example, customer requirements and regulatory standards
Ensure that employees receive training outlining the quality requirements
Determine and document the processes, their interactions and their results
Be able to produce records to prove that system requirements have been met
From creation to disposal, document protocols must be clear and properly followed.With that in mind, ISO 9001’s purpose is to evaluate whether or not a QMS does a good job of managing processes while also being able to help organizations identify areas that need improvement. In simple terms, ISO 9001 helps companies who were making an excellent product most of the time, make an excellent product every time.
How can cloud quality management software help you get your ISO 9001 certification? Once you create processes that adhere to ISO 9001 quality management standards, you have to put them into practice. Enter: quality management software. But, how exactly does it help?
Optimal Time to Value
First, cloud-based software is the most cost-efficient to implement. Secondly, since a QMS needs to be accessible to every employee regardless of whether they work at HQ or on-site, cloud QMS are built to be mobile-friendly and easily accessed from any location.
Automated Document Lifecycles & Version Control
From creation to disposal, document protocols must be clear and properly followed. As up-to-date documents are an important factor in maintaining high levels of quality, the most recent versions of approved documents should be readily available while previous editions should be hidden away.
With cloud quality management software, workflows can automate the review and approval processes by automatically sharing documents with the right reviewers. Then, after the document has been approved, the changes will automatically be applied to the master document while the obsolete version is archived, helping to remove any chance of it being accidentally used after the update.
Easy Document Location & Metadata
According to ISO 9001, searching through an organization’s documents should be as easy as searching with Google. It’s an added bonus when the quality management software enables users to add custom metadata to documents. Metadata is just extra information that helps to define a document (like file size, type, date modified). With certain cloud-based QMS’, you can add custom metadata fields to make documents easier to find. For example, you can add an “expiration date” field that allows you to look up policies based on when they are set to expire.With the growing number of data breaches happening every year, it’s important to address the security components of a QMS.
In order to pass any ISO 9001 audit, there needs to be a complete audit trail for every document, including active documents and the earlier archived versions. While this might seem like a big ask, cloud quality management software helps make this simple. Every single change to a document, regardless of whether it’s the current or past version, is tracked. When combined with automated workflows, you’re able to produce a precise log of every change made by every user.
Advanced User Permissions & Central File Ownership
With the growing number of data breaches happening every year, it’s important to address the security components of a QMS. Many of these issues can be resolved with user permissions, which is generally related to managing users’ editing and sharing access. The proper view, edit, and approval rights go a long way to reducing the risk of human error.
Another feature that may seem like common sense is central file ownership. When the organization owns all of its documents, there’s no need to worry that important files will be lost or deleted. With one owner, the damage that can be inflicted by malicious third-parties is also limited.
Cloud-based quality management software provides the flexibility and scalability, that cannabis startups need to comply with ISO 9001. With the cloud as a foundation, these systems will continue to be assets for the cannabis industry as it gains momentum and expands more.
Anyone with a search engine can piece together how much THC certain strains produce and what their characteristics are. Oh wait- there’s an app for that… or dozens, I lose count these days.
Nefarious lab results are rampant in our communityLet’s take one of my favorites, Dutch Treat; relaxing, piney and sweet with a standard production of 18-25% THC, according to three different reviews online. So, did I raise an eyebrow when I saw Dutch Treat on Oregon shelves labeled at 30% THC? Did I take it in to an independent, accredited lab and have it tested for accuracy? You bet your inflated potency results I did! The results? Disappointing.
Nefarious lab results are rampant in our community; it is hurting every participant in our industry affected by the trade, commerce and consumption of recreational cannabis.
“I have had labs ask me what I want my potency numbers to look like and make an offer,” says David Todd, owner and operations manager of Glasco Farms, a craft cannabis producer in central Oregon. “It’s insane- I want to stand behind my product and show through scientific fact that I produce a superior flower.”
But without enforcement of lab practice standards, producers are being pressured to play dirty. In her third year cultivating at a two-tier recreational cannabis farm, a producer who wished to remain anonymous sent me an email about the pressures she is up against to produce high THC strains:
“The only sure way to get my product on the shelf at a profitable price is with THC 25% or above. Not a lot of strains have that potential, but the market has plenty with 28% to 32% floating around so I have to go with the same labs as the rest of the independent farmers to get the best numbers I can. The lab I use … return(s) good numbers.”
Those “good numbers,” aka high THC %, are the driving force of sales. A strain tests at 20% THC and it sells for $1,000/lb. Then it tests at 25% THC, and sells for $1300/lb. You produce cannabis for sale- this is your business. And labs are telling you that they can manipulate samples and reports to make you more money. Everyone else is doing it. If you don’t, your product isn’t “good enough” to sell. What do you do?Labs should operate ethically.
It’s a vicious cycle perpetuated by lies, lack of enforcement resources, coercion and undereducation. We are all responsible. Yet, ask who the source of the problem is and everyone points fingers across the circle.
The consumers are uneducated about cannabis and only focus on THC. The dispensaries and budtenders should be educating them. Producers should take a stand and use an honest lab. Labs should operate ethically.
I repeat: Oregon, we have a problem.
It’s time to stop living in a land where Dutch Treat is hitting 30% THC. It’s time for everyone to demand auditing and ethics.
Laws have been set forth on how to sample, prep, test and report analyses for cannabis to ensure fair commerce, consumer health and public safety. But there’s a clear need to blind test the different labs, and for unbiased, third-party research and development.
As federal eyes turn to the Oregon to investigate black market activity, regulatory bodies are tightening their grip on licensees to maintain legal validity and avoid shut down.
The time to demand change and integrity is now.The crack-down began on August 23, 2018, when the OLCC investigated several prominent producers’ practices. Black market distribution incurred the harshest penalty; the OLCC revoked their wholesale license due to multiple violations.
“We want good compliant, law-abiding partners as OLCC marijuana licensees,” says Paul Rosenbaum, OLCC Commission Chair. “We know the cannabis industry is watching what we’re doing, and believe me, we’ve taken notice. We’re going to find a way to strengthen our action against rule breakers, using what we already have on the books, and if need be working with the legislature to tighten things up further.”
Trends in METRC data lay the foundation for truth, and it’s time to put it to use. “The Cannabis Tracking System worked as it should enabling us to uncover this suspicious activity,” says Steven Marks, OLCC Executive Director. “When we detect possible illegal activity, we need to take immediate steps …”
Potency fraud might not be at the top of the list for investigation, but labs and producers are breaking the law, and there will be consequences. ORELAP and OLCC have the right to investigate and revoke licenses of labs that are falsifying data and consumers can file claims with the Department of Justice.
Documents play a key role in the world of regulations and global standards. Documents tell a story on programs development, implementation and verification during an inspection or audit. Documents are used as evidence to determine conformance to the law or standard. However, do you know what kind of documents may be reviewed during a regulatory inspection or a food safety audit? Are you prepared to show that the implementation of regulatory requirements or a standard is done efficiently at your facility?
Inspectors and auditors will look for compliance either to regulations or to a standard criterion. Regulations and standards require that documentation is controlled, secured and stored in an area where they cannot deteriorate. Therefore, writing a Document Management Program (DMP) will help a business owner ensure consistency in meeting this and other requirements.Radojka Barycki will host a a plenary session titled, “Cannabis: A Compliance Revolution” at the 2018 Food Safety Consortium | Learn More
A well-developed and implemented DMP provides control over documents by providing a number sequence and revision status to the document. In addition, ownership for development, review and distribution of the documents are assigned to specific individuals within the company to ensure that there are no inconsistencies in the program. Documents must also have the name of the company in addition to a space to write the date when the record is generated. It is recommended to include the address if there are multiple operational sites within the same company.
There are different types of documents that serve as support to the operations:
Program: A written document indicating how a business will execute its activities. When it comes to the food industry, this is a written document that indicates how quality, food safety and business activities are controlled.
Procedures: General actions conducted in a certain order. Standard Operational Procedures (SOPs) allow the employee to know what to do in general. For example, a truck receiving procedure only tells the employee what the expected conditions are when receiving a truck (cleanliness, temperature, etc.) However, it doesn’t tell the employee how to look for the expected conditions at the time of the truck arrival.
Work Instructions: Detailed actions conducted in a certain order. For example, truck inspection work instruction tells the employee what steps are to be followed to perform the inspection.
Forms: Documents used to record activities being performed.
Work Aids: are documents that provide additional information that is important to perform the job and can be used as a quick reference when performing the required activities within the job.
The inspectors and auditors base their role on the following saying: “Say what you do. Do what you say. Prove it!” The programs say what the company do. The procedures, work instructions and work aids provide information on implementation (Do what you say) and the forms become records that are evidence (prove) that the company is following their own written processes.
Regulatory requirements for cannabis vary from state to state. In general, an inspector may ask a cannabis business to provide the following documentation during an inspection:
Product Traceability Programs and Documents
Product Testing (Certificate of Analysis – COAs)
Certification Documents (applicable mainly to cannabis testing labs)
Proof of Destruction (if product needs to be destroyed due to non-compliance)
Training Documents (competency evidence)
As different states legalize cannabis, new regulatory requirements are being developed and modeled after the pharma, agriculture and food industries. In addition, standards will be in place that will provide more consistency to industry practices at a global level. The pharma, agriculture and food industries base their operations and product safety in programs such as cGMPs, GAPs, HACCP-based Food Safety Management Systems and Quality Management Systems. Documents required during an inspection or audit are related to:
Good Agricultural Practices (GAPs)
Current Good Manufacturing Practices (cGMPs)
Food Safety Plan Documents
Ingredient and Processing Aids Receiving
Ingredient and Processing Aids Storage
Operational Programs (Product Processing)
Final Product Storage
Final Product Transportation
Document Management Program
In the always evolving cannabis industry, are you prepared to face document requirements now and in the future?
With the cannabis industry growing rapidly, laboratories are adapting to the new market demand for medical cannabis testing in accordance to ISO/IEC 17025. Third-party accreditation bodies, such as Perry Johnson Laboratory Accreditation, Inc. (PJLA), conduct these assessments to determine that laboratories are following relevant medical cannabis testing standard protocols in order to detect potency and contaminant levels in cannabis. Additionally, laboratories are required to implement and maintain a quality management system throughout their facility. Obtaining accreditation is a challenge for laboratories initially going through the process. There are many requirements outlined in the standard that laboratories must adhere to in order to obtain a final certificate of accreditation. Laboratories should evaluate the ISO 17025 standard thoroughly, receive adequate training, implement the standard within their facility and conduct an internal audit in order to prepare for a third-party assessment. Being prepared will ultimately reduce the number of findings detected during the on-site assessment. Listed below is research and evidence gathered by PJLA to determine the top ten findings by clause specifically in relation to cannabis testing laboratories.
4.2: Management System
Defined roles and responsibilities of management system and its quality policies, including a structured outline of supporting procedures, requirements of the policy statement and establishment of objectives.
Providing evidence of establishing the development, implementation and maintenance of the management system appropriate to the scope of activities and the continuous improvement of its effectiveness.
Ensuring the integrity of the management system during planned and implemented changes.
Communication from management of the importance of meeting customer, statutory and regulatory requirements
4.3: Document Control
Establishing and maintaining procedures to control all documents that form the management system.
The review of document approvals, issuance and changes.
4.6: Purchasing Services and Supplies
Policies and procedures for the selection and purchasing of services and supplies, inspection and verification of services and supplies
Review and approval of purchasing documents containing data describing the services and supplies ordered
Maintaining records for the evaluation of suppliers of critical consumables, supplies and services, which affect the quality of laboratory outputs.
4.13: Control of Records
Establishing and maintaining procedures for identification, collection, indexing, access, filing, storage and disposal of quality and technical records.
Providing procedures to protect and back-up records stored electronically and to prevent unauthorized access.
4.14: Internal Audits
Having a predetermined schedule and procedure for conducting internal audits of its activities and that addresses all elements that verify its compliance of its established management system and ISO/IEC 17025
Completing and recording corrective actions arising from internal audits in a timely manner, follow-up activities of implementation and verification of effectiveness of corrective actions taken.
Laboratory management not ensuring the competence and qualifications of all personnel who operate specific equipment, perform tests, evaluate test results and sign test reports. Lack of personnel undergoing training and providing appropriate supervision
Providing a training program policies and procedures for an effective training program that is appropriate; identification and review of training needs and the program’s effectiveness to demonstrate competence.
Lack of maintaining records of training actions taken, current job descriptions for managerial, technical and key support personnel involved in testing
5.4: Test and Calibration Methods and Method Validation
Utilization of appropriate laboratory methods and procedures for all testing within the labs scope; including sampling, handling, transport, storage and preparation of items being tested, and where appropriate, a procedure for an estimation of the measurement of uncertainty and statistical techniques for analysis
Up-to-date instructions on the use and operation of all relevant equipment, and on the handling and preparation of items for testing
Introduction laboratory-developed and non-standard methods and developing procedures prior to implementation.
Validating non-standard methods in accordance with the standard
Not completing appropriate checks in a systematic manner for calculations and data transfers
5.6: Measurement Traceability
Ensuring that equipment used has the associated measurement uncertainty needed for traceability of measurements to SI units or certified reference materials and completing intermediate checks needed according to a defined procedure and schedules.
Not having procedures for safe handling, transport, storage and use of reference standards and materials that prevent contamination or deterioration of its integrity.
5.10: Reporting the Results
Test reports not meeting the standard requirements, statements of compliance with accounting for uncertainty, not providing evidence for measurement traceability, inaccurately amending reports.
SOP-3: Use of the Logo
Inappropriate use of PJLA’s logo on the laboratories test reports and/or website.
Using the incorrect logo for the testing laboratory or using the logo without prior approval from PJLA.
Editor’s Note: This is an article submission from the EAS Consulting Group, LLC team.
To Audit, or not to audit? Not even a question! Audits play a crucial role in verifying and validating business practices, ensuring suppliers are meeting their requirements for Good Manufacturing Practices (GMPs), and most importantly, protecting your interests by ensuring that you consistently receive a compliant and quality product. Audits can help ensure sound business procedures and quality systems, including well-established SOPs, verification and documentation of batch records, appropriate sanitation practices and safe storage and use of ingredients. Audits can also identify deficiencies, putting into motion a corrective action plan to mitigate any further challenges. While a detailed audit scheme is commonplace for established industries such as food, pharmaceuticals and dietary supplements, it is equally important for the cannabis industry to ensure the same quality and safety measures are applied to this budding industry.
If the question then is not whether to audit, perhaps the question is howand when to audit, particularly in the case of a company’s suppliers.This is an opportunity to strengthen the working relationship with each side demonstrating a commitment to the end product.
Supplier audits ensure first and foremost that the company with which you have chosen to work is operating in a manner that meets or exceeds your quality expectations – and you should have expectations because ultimately your product is your responsibility. Any issues that arise, even if they are technically the fault of a supplier, become your issue, meaning any enforcement action taken by your state regulators will directly impact your business. Yes, your supplier may provide you with a batch Certificate of Analysis but you should certify their results as well.
Audits are a snapshot of a moment in time and therefore should be conducted on a regular basis, perhaps biennially or even annually, if they are a critical supplier. In some cases, companies choose to bring in third-party auditors to provide an objective assessment of suppliers. This is especially helpful when the manufacturer or customer does not have the manufacturing, compliance and analytical background to accurately interpret data gathered as part of the audit. With the responsibility for ensuring ingredient identity and product integrity falling on the manufacturer, gaining an unbiased and accurate assessment is imperative to reducing the risk to your business.
Conducting a supplier audit should be well planned in advance to ensure both sides are ready. The audit team must be prepared and able to perform their duties via a combination of education, training and experience. A lead auditor will oversee the team and ultimately will also oversee the results, verifying all nonconformities have been properly identified. They will also work with the supplier to conduct a root cause analysis for those nonconformities and develop a corrective action plan to eliminate them from occurring in the future. The audit lead will also verify follow-up results.
Auditors should discuss with the supplier in advance what areas will be observed, what documentation will need to be ready for review and they should conduct their assessments with professionalism. After all, this is an opportunity to strengthen the working relationship with each side demonstrating a commitment to the end product.This is your chance to ensure your suppliers are performing and will meet your business, quality and product expectations.
Auditors must document that ingredient identity and finished product specifications are verified by test methods appropriate for the intended purpose (such as a whole compound versus a powder). State regulations vary so be certain to understand the number and types of required tests. Once the audit is complete and results are analyzed, you, the manufacturer, have an opportunity to determine if the results are acceptable. Remember, it is your product, so ultimately it is your responsibility to review the available data and release the product to market, you cannot put that responsibility on your supplier.
Quality Agreements as Part of a Business Agreement
There are opportunities to strengthen a partnership at every turn, and one way to set a relationship on the right path is to include a quality agreement as part of a business agreement. A quality agreement lays out your expectations for your suppliers, what you are responsible for and is a living document that, once signed, demonstrates their commitment to upholding the standards you expect. Just as with a business agreement, have any quality agreements reviewed by an outside expert to ensure the wording is sound and that your interests are protected. This is just another step in the development of a well-executed business plan and one that solidifies expectations and provides consequences when those expectations are not met.
Supplier audits must be taken seriously as they are opportunities to protect your brand, your business and your consumers. Enter into an audit as you would with any business endeavor – prepared. This is your chance to ensure your suppliers are performing and will meet your business, quality and product expectations.
Last week, Oregon Secretary of State Dennis Richardson published his office’s audit of The Oregon Liquor Control Commission (OLCC). The audit uncovered a number of inadequacies with the regulatory agency, most notably the problems with their tracking system, designed to prevent cannabis form being sold on the black market.
The report highlights the need for Oregon to implement a more robust tracking system, citing reliance on self-reporting, overall poor data quality and allowing untracked inventory for newly licensed businesses. The audit also found an insufficient number of inspectors and unresolved security issues. According to The Oregonian, the OLCC only has 18 inspectors, roughly one for every 83 licensed businesses.
Auditors also found inadequacies in the application system, saying the OLCC doesn’t monitor third-party service providers and doesn’t have a process in place for reconciling data between the licensing and tracking systems. The audit found there is a risk that decisions made for the program could be based on unreliable data. It also found a risk of unauthorized access to the systems, due to a lack of managing user accounts.
This audit’s publication is very timely. Most notably because U.S. Attorney Billy Williams, who called Oregon’s black market problem “formidable,” convened a summit this week to examine how Oregon can prevent cannabis being exported to other states. According to the Oregonian, Williams said Oregon has an “identifiable and formidable overproduction and diversion problem.” The audit’s findings highlighting security issues are also very timely, given that in the same week, Oregon’s neighbor to the North, Washington, experienced a security breach in its own tracking system.
The problems with the Oregon tracking system’s security features are numerous, the audit says. They found that the OLCC lacks a good security plan, IT assets aren’t tracked well, there are no processes to determine vulnerabilities, servers and workstations not using supported operating systems and a lack of appropriately managing antivirus solutions. “Long-standing information security issues remain unresolved, including insufficient and outdated policies and procedures necessary to safeguard information assets,” reads the report’s summary.
The audit proposes 17 recommendations for the state to bolster its regulatory oversight. Those recommendations intend to address undetected compliance violations, weaknesses in application management, IT security weaknesses and weaknesses in disaster recovery and media backup testing. You can read the full audit here.
Lezli Engelking founded the Foundation of Cannabis Unified Standards (FOCUS) in 2014 to protect public health, consumer safety, and safeguard the environment by promoting integrity in the cannabis industry through the use of standards. Standards are an agreed upon way of doing things and specify guidelines or requirements for producing goods or providing services, according to FOCUS.
Standards can take the form of a “reference document, which may include specifications, guidelines, conditions or requirements for products, operations, services, methods, personnel and systems on how to design, operate, manufacture or manage something.” Peter Maguire, VP of System Applications for Lighthouse Worldwide Solutions and committee chair of the FOCUS Cultivation standard, joined the organization wanting to make a positive impact on the industry that is in line with protecting people and medical patients. He sees so much variability in the industry and the need to homogenize standard operating procedures (SOPs). “I have worked with multiple cultivation facilities and a few of them have operating procedures in place but having them in place is only half the solution- it’s critical to have the right ones in place,” says Maguire. He has twenty years of experience in contamination control in manufacturing, before entering the cannabis industry.
The FOCUS cultivation standard was created by experts who have years of experience in both cannabis cultivation, good agricultural practices and in the tightly regulated pharmaceutical industry. “FOCUS created these guidelines as a sort of roadmap for success in business; You need to keep your employees healthy and your products safe to survive in the long term,” says Maguire. We sit down with Lezli Engelking to find out how the standards are created, what makes them significant and what businesses can gain by working with them.
CannabisIndustryJournal: Why are standards important?
Lezli: Standards are the international language for trade – they exist in every industry. “The U.S. Department of Commerce estimates that standards and conformity assessment impact more than 80% of global commodity trade.” FOCUS is not reinventing the wheel with what we are doing. We are simply adapting a business model the federal government already uses. In the 80s, when the heroin epidemic swept across the US, methadone clinics popped up in every state in the country within two years. The clinics were all operating under different state, city and county regulations – much like the cannabis industry is today. The federal government took a look at the situation and decided they needed a way to regulate these clinics in order to protect public health and safety. They released a Request For Proposal (RFP) looking for an organization to create voluntary-consensus standards and a third-party certification system for the methadone clinics. Commission on Accreditation of Rehabilitation Facilities (CARF) is the organization that answered and won that RFP. CARF continues to work with Health and Human Services to maintain the standards and provide third-party certification to the clinics today. FOCUS develops international, voluntary consensus standards and a third party certification program for the global cannabis industry based on the CARF model. This is extremely important, because of the National Technology Transfer and Advancement Act, (Public Law 104-115), signed into law March 7, 1996 by President Clinton. The act requires that all federal agencies use standards developed by voluntary-consensus standards bodies, instead of government-unique standards wherever possible. Perhaps even more importantly, the Act includes provisions that encourage federal agencies to partner with the private sector in the development of standards that not only help improve the efficiency and effectiveness of government, but also strengthen the U.S. position in the global marketplace.
CIJ: What exactly goes into developing a voluntary-consensus standard?
Lezli: Voluntary-Consensus refers to the type of standard and how it is developed. Everyone who participates in the development of voluntary-consensus standards does so on a voluntary basis. Committee members must come to a consensus on every point within the standard- down to every comma or semicolon. Once the development process is complete, the standards must undergo a 30-day public review period. The process for developing voluntary-consensus standards is designated by International Organization for Standardization (ISO). ISO has member agencies in 163 countries that participate in the development of standards. The American National Standards Institute (ANSI) is the American body for ISO. FOCUS follows all ISO/ANSI guidelines in the standards development process. This is extremely important because it means FOCUS standards are suitable for accreditation and adoption into regulations according to the National Technology Transfer and Advancement Act. All voluntary-consensus standards are developed under the principles of:
Openness| Participation in the standard development process is open to individuals with a stake in the standard who bring useful expertise along with the spirit and willingness to participate.
Balance| Focus stakeholder groups involve all stakeholder groups: industry, regulatory, quality assurance, medical, law enforcement, business, research, consumers, patients and the general public.
Voluntary-Consensus| Individual subcommittees of volunteers develop each area of the standard, offering their unique expertise to form a consensus. They are not paid for their participation.
Lack of Dominance| No party has dominant representation, or influence to the exclusion of fair and equitable consideration of other viewpoints.
CIJ: More specifically, how are the FOCUS standards developed?
Lezli: To create a baseline standard, FOCUS utilized World Health Organization (WHO) guidelines for Good Manufacturing Practices (GMP), Good Agricultural Practices (GAP), Good Laboratory Practices (GLP), Code of Federal Regulations (CFR) for pharmaceutical GMPs, nutraceutical GMPs, food safety standards, OSHA and HACCP. From there, applicable cannabis regulations from around the world were added. All of this information was compiled into auditor-style checklists. Each committee member was provided time to go edit, remove or add to items in the checklist on their own. Over the next two years, each of the eight committees had monthly meetings, going through and coming to a consensus on each line item of the standard. Once the committees completed development, the standards were open for a 30-day Public Review to collect comments and feedback. The first eight FOCUS standards, completed and ready for use, cover Cultivation, Retail, Extraction, Infused Products, Laboratory, Security, Sustainability and Packaging & Labeling.
FOCUS is currently recruiting committee members to begin development of five new cannabis standards later this year: Advertising/Marketing, Insurance, Banking/Finance, Patient Care and Research. Committees will receive a list of proposed suggestions for what should be considered in developing the standards. Each committee member will develop a list to select criteria they think should be included into the standard. FOCUS will compile the lists, then committees will go through the monthly standards development/vetting process for each line item in the standard.
CIJ: So what does a business have to gain by adopting a FOCUS standard?
Lezli: Compliance becomes easily manageable with the FOCUS software platform, integrating standards, training and SOPs into the everyday operations of the business. FOCUS certified clients could expect to reduce costs, reduce risk and reduce liability by assuring they are producing safe, quality and consistent products. FOCUS certification allows a business to differentiate themselves from their competitors, and prove to their patients and customers they can trust their products. Certification also allows businesses to access reasonable insurance rates and drives interest from investors.
FOCUS is here to partner with cannabis businesses. We are there to hold their hand, by providing guidance and assistance along every step of the way. Unlike state mandated audits that delineate what a business is doing right or wrong, FOCUS is an on-going compliance management system. We are here to make sure a business runs as efficiently as possible and take the guesswork out of compliance. Under FOCUS certification, a business receives ongoing consulting, customized SOPs, employee training and a documentation management software system to track and prove compliance.
CIJ: Can you give us an update on FOCUS’ progress in 2016?
Lezli: A large milestone for FOCUS this year, aside from completing version one of the standards, is choosing an appropriate software platform, (Power DMS) to house the standards and provide an ongoing compliance management system for our clients. Power DMS also houses regulatory standards for law enforcement; health care, federal aviation and fire departments, so most agencies in public health are already familiar with it. The familiarity and access to this platform is a huge benefit on the regulatory side. It allows first responders to access the schematics of a FOCUS certified client in the event of an emergency. This is crucial in the event of an explosion from extraction equipment, or a fire in a cultivation facility, as without first identifying where the hazards are, they will not access the facility. The FOCUS software platform allows first responders access to all pertinent information through computers in police cars, ambulances, or fire trucks.
For the industry, the FOCUS software platform is equally as impressive. Not only does the platform house the standards and all SOPs, it is also complete compliance management system. FOCUS certified clients have a simple management tool that houses all training and documentation, assuring all required compliance documentation can be easily accessed at any time. The platform also allows FOCUS certified clients to provide access to governing bodies in advance of state audits –streamlining the process and minimizing time and interruption caused by state audits. The FOCUS platform tracks all changes to required documents, provides real time updates on employee training, creates appropriate traceability logs, and provides updates on regulatory changes, including which SOPs need to be changed to maintain compliance. The platform allows FOCUS to be way more than an auditing company. FOCUS is a partnership in compliance for cannabis companies wanting to maintain good business practices and stay compliant with regulations.
We have about 140 new committee members that will assist existing committees with standards updates and participate in the development of the next set of FOCUS standards for advertising/marketing, banking/finance, research, patient care and insurance. All committees will convene before 2017.
Clean Green Certified is a third-party certification program that incorporates aspects of the USDA’s National Organic Program (NOP), international organic programs and sustainable farming practices. Cannabis is not eligible for USDA organic certification because it is not a federally recognized crop, so Clean Green Certified is the closest certification nationally available. More than 200 cultivators are currently Clean Green Certified in California, Oregon, Washington, Colorado and Nevada.
Chris Van Hook, attorney and founder of Clean Green Certified, started the program in 2004 out of requests from growers to certify their cannabis as organic. Van Hook has decades of experience working in environmental law and USDA organic certifications. “About 95% of the Clean Green Certification is based on the USDA’s NOP,” says Van Hook. “The Clean Green Certified cannabis farmer would be eligible for an organic certification as soon as it becomes available, so we are helping the industry get accustomed to the regulations, inspections, and audits that come with getting organically certified.”
Getting Clean Green Certified requires an initial application. Upon inspection, Van Hook’s program examines all the inputs, including water and energy usage, nutrients, pesticides, and soil, along with inspecting the actual plants for agricultural vitality. “We follow the plants from seed to when it is harvested, checking for clean surfaces and containers, as well as drying, curing, trimming, and processing practices,” says Van Hook. “Just like organic farming, the cultivator needs to be an engaged manager and heavily involved with the plants. Much more monitoring is involved to prevent pest problems from getting out of control without using pesticides.”
The initial screening process takes into consideration traceability and legal compliance, which in cultivation and processing alike is an eligibility requirement. “We use USDA organic standards as guidance for processor facility reviews as well, which include concentrates and edibles manufacturers, breaking it down to labeling, food handling, standard operating procedures, mock recalls, and more,” says Van Hook.
“In a market so used to a lack of oversight, there definitely are some challenges, but we are bringing the necessary agricultural and food handling regulations into the cannabis industry,” adds Van Hook.
The option to grow organically and acquire a third party certification for it can benefit cultivators across the country looking to market their product as environmentally sustainable and pesticide-free.
Strictly Necessary Cookies
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
We use tracking pixels that set your arrival time at our website, this is used as part of our anti-spam and security measures. Disabling this tracking pixel would disable some of our security measures, and is therefore considered necessary for the safe operation of the website. This tracking pixel is cleared from your system when you delete files in your history.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.