Tag Archives: records

Keep ‘em Safe: Cash, Records, Products, People – Technology Helps Cannabis Businesses Succeed

By Dede Perkins
No Comments

It wasnt that long ago that cannabis was underground, sometimes literally, and operators protected what was theirs any way they knew how. Before legalization, cannabis operators needed to secure their plants, cash, supplies and equipment not just from people who wanted to steal them, but also from law enforcement. The legacy cannabis market is now transitioning into a legal one, and licensed operators are joining the industry at an incredible rate, but security is still part of the success equation. Like before, operators need to protect plants, products, equipment and cash, but they now also need to protect records, privacy and data, and do so in a manner that complies with state regulations.

Cannabis regulatory authorities set security guidelines that cannabis business owners must follow in order to obtain and renew operational licenses. For instance, there are state-specific security regulations regarding video surveillance, camera placement, safes, ID verification, and more. While security measures help protect the business, they also protect the public. Its a win-win for everyone involved. Here are five best practices and techniques to protect cash, records, products and people.

Hybrid cloud storage

State regulations call for reliable video surveillance footage that is accessible, in most cases, 24/7 and upon demand by cannabis regulatory authorities and local law enforcement acting within the limits of their jurisdiction. SecurityInfoWatch.com reports that video data is the industrys next big investment, meaning there will be an increased demand and need to store video surveillance footage. Most states require video surveillance footage to be retained for a specific amount of time, often 45-90 days or longer if there is an ongoing investigation or case that requires the footage. While some businesses only retain video data for the state-required length of time, others choose to keep it longer.

Storing data on-site can become expensive and precarious. Best practices call for a hybrid cloud storage solution model as it provides on-site and both public and private cloud data storage solutions. This model provides users with the ability to choose which files are stored on-site and which files live in the cloud. Doing so improves file accessibility without impacting or compromising on-premises storage. In addition, its helpful to have two methods of digitizing data, for safetys sake. In the event an on-site storage method crashes—though hopefully this wont ever happen—theres a version available off-site via the cloud. That said, with cloud-based storage solutions come cybersecurity threats that must be managed.

Cybersecurity

Dispensaries are prime targets for burglary. Defending a storefront requires a comprehensive security plan

Due to the ongoing COVID-19 pandemic, more businesses are online than ever before. Unsurprisingly, cyberthreats are on an upward trend, including in the cannabis industry. Earlier this year, MJBizDaily reported that a data breach exposed personal information of current and former employees of Aurora Cannabis. The incident involved unauthorized parties [accessing] data in (Microsoft cloud software) SharePoint and OneDrive”. Although this breach involved only employees, confidential customer information is also at risk of being compromised during a data breach. 

On a separate occasion, an unsecured Amazon S3 data storage bucket caused a large-scale database breach that impacted almost 30,000 people across the industry, according to the National Cannabis Industry Association. The breach included scanned versions of government-issued ID cards, purchase dates, customer history and purchase quantities. Unlike the Aurora Cannabis breach, this one included customer data. 

Just like other more established industries, the cannabis industry needs to protect and secure confidential data. If you dont have a cybersecurity expert on your team, consider hiring a consultant to evaluate your risk or partnering with a credible cybersecurity technology company to implement proactive solutions. Before signing a contract, do your due diligence. Does the consultant and/or technology company understand the compliance regulations specific to the cannabis industry? Do their solutions meet the regulations in the state(s) where your facility operates? Taking the time to protect your companys data before a breach occurs is proactive, smart business.

Smart Safes 

A smart safe like this one can helps secure cash handling

Smart safes help secure cash handling, which given the difficult banking environment for cannabis companies, means theyre on the list of best practice security technology products. What is a smart safe? A smart safe is a device that securely accepts, validates, records and stores cash and connects to the other cash management technology solutions such as point of sale systems. They connect to the internet and provide off-site stakeholders visibility into a facilitys cash position.

A high-speed smart safe counts cash by hand faster than a human and is an overall more secure way to deliver cash bank deposits. At the end of the night, making a deposit at a physical bank location can be dangerous, exposing your cash and the individuals responsible for making the deposit to unsecured threats. Using a smart safe reduces that threat and also helps cannabis operators comply with financial recordkeeping and documentation requirements. Due to federal cannabis prohibition, many cannabis businesses lack enough insurance to fully cover their exposure to cash theft, which has led to a trending industry-wide investment in smart safes.

Advanced access control

Best practice access control means more than a ring of keys hanging off the facility managers belt. Advanced access control gives cannabis business owners and managers the ability to manage employee access remotely via the cloud. This feature can limit access areas within a facility, enabling an individual to revoke access instantly from a remote location making it a useful tool in the event of a facility lockdown or emergency. A mobile app and/or website can be used to lock or unlock secure doors, monitor access in real time and export access logs.

Advanced access control devices arent a standard in the industry yet. Although many state regulators dont require cannabis businesses to utilize advanced electronic access control, using this technology is a best practice and may be required in the future.

Compliance software 

Understanding the ramifications and keeping up with state-mandated compliance is challenging. While state regulations can be found online, theyre often in pieces, leaving operators unsure about whether or not they have them all. Once an operator is confident that they have the most current version of all the laws, rules, and regulations that apply to their cannabis business, making way through the dense legal jargon can be exhausting. Even after multiple readings, it can be unclear about how to apply these guidelines to the operators cannabis business, which is one reason cannabis businesses work with a trusted legal counsel to meet compliance requirements. For trusted advisors and cannabis business licensees and operators alike, cannabis compliance software solutions are designed to not just check boxes for a cannabis business, but to help everyone involved understand how the regulations apply to the operation. These solutions improve accessibility so that employees at all organizational levels understand the rules and requirements of their position and the products they work with.

In addition, compliance software can help licensees and operators establish and implement best practice SOPs to meet regulatory requirements. Because the cannabis industry is young and many operators are moving fast, many cannabis businesses are vulnerable to security breaches and threats. Prioritizing security and compliance can help cannabis leaders protect against potential threats. Investing in the latest and most innovative security technology solutions—beyond what is required by state regulations—can help operators outsmart those who seek to steal from them and position their companies as industry leaders that prioritize safety and compliance, protecting not just cash and products, but the people who work in their facilities and the customers who purchase their products.

CannTrust Meltdown Indicative Of Summer Of Scandal To Come

By Marguerite Arnold
No Comments

While you may not have heard of CannTrust Holdings so far, that is now about to change. A summer spectacle of double dealing and corporate greed has put this Canadian cannabis company on the global map.

Unfortunately, the current meltdown underway is indicative of more to come.

A Summary Of The Story So Far

CannTrust, a company which serves 72,000 Canadian patients and got into the game early, decided to do what it saw other companies doing all around them. That covers a lot of ground (good and bad at this point). Regardless, the most relevant recent twist to the saga came when the company hired a new CEO, Peter Aceto last October.

Aceto however, along with the now also fired co-founder and chair of the board Eric Paul, decided to continue growing and harvesting unlicensed product. Worse, this occurred while boasting in public of their productivity gains on the way to securing a hefty investment of capital this spring. $170 million. The grow rooms finally got their certification in April.

What is even more embarrassing however, is that this was a round led by the much-vaunted investors the industry has been courting assiduously for the past several years. Specifically, in this case? Institutional banks like Bank of America, Merrill Lynch, Citigroup, Credit Suisse Securities and RBC Capital Markets.

But that is “just” the North American hemisphere. The rather unfortunately named CannTrust (certainly at this point) also had a European footprint – notably Denmark. Unlicensed cannabis ended up there too, of course. Stenocare A/S, the company at the receiving end of the same, reported receipt of product from the unlicensed rooms on July 4.

As far as such things go, however, you have to give it to CannTrust company executives. In terms of setting standards if not benchmarks and “records”, they certainly seemed to have set a few, although probably not the ones they aspired to. If not, with certainty, their investors.

A Surprise Or Inevitability?

That said, for many who have been sounding warnings for at least a year, the 2019 Summer of Canadian Cannascandal is certainly starting to confirm what many have been saying for quite some time. This is not the first time a securities exchange, for one, has sounded the alarm. Deutsche Börse delisted the entire North American public cannabis industry last summer briefly. Then they revised their policy, reluctantly, after Luxembourg changed its stance on medical use. That said, they are still watching with a standing policy of bouncing any company that runs afoul of their rules.

The problems, issues and more bubbling at the center of this cannameltdown, in other words, are not limited to just one company or country.

And everyone knows it.

Accounting For Past Mistakes

For those who are counting, the value of all of that illegally grown CannTrust product is not insignificant. Estimates are floating in the CA$50-70 million range. The problem is, of course, nobody is sure what numbers to rely on. CannTrust employees knowingly provided inaccurate information to the new CEO if not regulatory body until a whistle-blower provided a few more details.

That said, for all of the hullabaloo, one thing this story also does is point a bright spotlight on the lax enforcement of even this pretty easy-to-understand regulation.

The question, however is, if CannTrust thought it could get away with this kind of blatent flouting of the rules, if not lax oversight, are there any other companies who might have also done similiar things?

After all, even the pesticide scandal of 2016 did not occur at just one company either.

Where Are The Proceedings?

This is a rolling story, which began to break at the beginning of last month when Health Canada issued a non-compliance order to CannTrust and impounded 5,200 kg of dried cannabis that was apparently grown in unlicensed grow rooms on July 3.

There have already been some jaw dropping revelations so far (beyond the executive decision to even go down this road in the first place) no matter how attractive pimping numbers was. Starting with things like fake walls being erected to hide the grow. And then of course pictures that have been all over social media of late, of the now departed CEO Aceto being photographed directly in front of said unlicensed rooms too.

As a result, the drama has continued to unfold in a highly predictable way.

By August 1, CannTrust Holdings, a Canadian cannabis company listed on both the New York and Toronto stock exchanges, was facing a “quasi-criminal investigation” by the Canadian Joint Serious Offenses Team. This is a coalition of law enforcement agencies including the Ontario Securities Commission, the Royal Canadian Mounted Police Financial Crimes Unit, and the Ontario Provincial Police Anti-Rackets Branch.

But CannTrust’s issues don’t end there. This is an international story that is just beginning. Government regulators in Europe if not elsewhere are paying attention.So are shareholders, and their lawyers.

Documentation: Are You Prepared?

By Radojka Barycki
No Comments

Documents play a key role in the world of regulations and global standards. Documents tell a story on programs development, implementation and verification during an inspection or audit. Documents are used as evidence to determine conformance to the law or standard. However, do you know what kind of documents may be reviewed during a regulatory inspection or a food safety audit? Are you prepared to show that the implementation of regulatory requirements or a standard is done efficiently at your facility?

Inspectors and auditors will look for compliance either to regulations or to a standard criterion. Regulations and standards require that documentation is controlled, secured and stored in an area where they cannot deteriorate. Therefore, writing a Document Management Program (DMP) will help a business owner ensure consistency in meeting this and other requirements.Radojka Barycki will host a a plenary session titled, “Cannabis: A Compliance Revolution” at the 2018 Food Safety Consortium | Learn More

A well-developed and implemented DMP provides control over documents by providing a number sequence and revision status to the document. In addition, ownership for development, review and distribution of the documents are assigned to specific individuals within the company to ensure that there are no inconsistencies in the program. Documents must also have the name of the company in addition to a space to write the date when the record is generated. It is recommended to include the address if there are multiple operational sites within the same company.

There are different types of documents that serve as support to the operations:

  1. Program: A written document indicating how a business will execute its activities. When it comes to the food industry, this is a written document that indicates how quality, food safety and business activities are controlled.
  2. Procedures: General actions conducted in a certain order. Standard Operational Procedures (SOPs) allow the employee to know what to do in general. For example, a truck receiving procedure only tells the employee what the expected conditions are when receiving a truck (cleanliness, temperature, etc.) However, it doesn’t tell the employee how to look for the expected conditions at the time of the truck arrival.
  3. Work Instructions: Detailed actions conducted in a certain order. For example, truck inspection work instruction tells the employee what steps are to be followed to perform the inspection.
  4. Forms: Documents used to record activities being performed. 
  5. Work Aids: are documents that provide additional information that is important to perform the job and can be used as a quick reference when performing the required activities within the job. 
Are you prepared to face document requirements now and in the future?

The inspectors and auditors base their role on the following saying: “Say what you do. Do what you say. Prove it!” The programs say what the company do. The procedures, work instructions and work aids provide information on implementation (Do what you say) and the forms become records that are evidence (prove) that the company is following their own written processes.

Regulatory requirements for cannabis vary from state to state. In general, an inspector may ask a cannabis business to provide the following documentation during an inspection:

  1. Business License(s)
  2. Product Traceability Programs and Documents
  3. Product Testing (Certificate of Analysis – COAs)
  4. Certification Documents (applicable mainly to cannabis testing labs)
  5. Proof of Destruction (if product needs to be destroyed due to non-compliance)
  6. Training Documents (competency evidence)
  7. Security Programs

As different states legalize cannabis, new regulatory requirements are being developed and modeled after the pharma, agriculture and food industries. In addition, standards will be in place that will provide more consistency to industry practices at a global level. The pharma, agriculture and food industries base their operations and product safety in programs such as cGMPs, GAPs, HACCP-based Food Safety Management Systems and Quality Management Systems. Documents required during an inspection or audit are related to:

  1. Good Agricultural Practices (GAPs)
  2. Current Good Manufacturing Practices (cGMPs)
  3. Food Safety Plan Documents
  4. Ingredient and Processing Aids Receiving
  5. Ingredient and Processing Aids Storage
  6. Operational Programs (Product Processing)
  7. Final Product Storage
  8. Final Product Transportation
  9. Defense Program
  10. Traceability Program
  11. Training Program
  12. Document Management Program

In the always evolving cannabis industry, are you prepared to face document requirements now and in the future?

Top 10 Common Findings Detected During Cannabis Laboratory Assessments: A Guide to Assist with Accreditation

By Tracy Szerszen
No Comments

With the cannabis industry growing rapidly, laboratories are adapting to the new market demand for medical cannabis testing in accordance to ISO/IEC 17025. Third-party accreditation bodies, such as Perry Johnson Laboratory Accreditation, Inc. (PJLA), conduct these assessments to determine that laboratories are following relevant medical cannabis testing standard protocols in order to detect potency and contaminant levels in cannabis. Additionally, laboratories are required to implement and maintain a quality management system throughout their facility. Obtaining accreditation is a challenge for laboratories initially going through the process. There are many requirements outlined in the standard that laboratories must adhere to in order to obtain a final certificate of accreditation. Laboratories should evaluate the ISO 17025 standard thoroughly, receive adequate training, implement the standard within their facility and conduct an internal audit in order to prepare for a third-party assessment. Being prepared will ultimately reduce the number of findings detected during the on-site assessment. Listed below is research and evidence gathered by PJLA to determine the top ten findings by clause specifically in relation to cannabis testing laboratories.

PJLA chart
The top 10 findings by clause

4.2: Management System

  • Defined roles and responsibilities of management system and its quality policies, including a structured outline of supporting procedures, requirements of the policy statement and establishment of objectives.
  • Providing evidence of establishing the development, implementation and maintenance of the management system appropriate to the scope of activities and the continuous improvement of its effectiveness.
  • Ensuring the integrity of the management system during planned and implemented changes.
  • Communication from management of the importance of meeting customer, statutory and regulatory requirements

4.3: Document Control

  • Establishing and maintaining procedures to control all documents that form the management system.
  • The review of document approvals, issuance and changes.

4.6: Purchasing Services and Supplies

  • Policies and procedures for the selection and purchasing of services and supplies, inspection and verification of services and supplies
  • Review and approval of purchasing documents containing data describing the services and supplies ordered
  • Maintaining records for the evaluation of suppliers of critical consumables, supplies and services, which affect the quality of laboratory outputs.

4.13: Control of Records

  • Establishing and maintaining procedures for identification, collection, indexing, access, filing, storage and disposal of quality and technical records.
  • Providing procedures to protect and back-up records stored electronically and to prevent unauthorized access.

4.14: Internal Audits

  • Having a predetermined schedule and procedure for conducting internal audits of its activities and that addresses all elements that verify its compliance of its established management system and ISO/IEC 17025
  • Completing and recording corrective actions arising from internal audits in a timely manner, follow-up activities of implementation and verification of effectiveness of corrective actions taken.

5.2: Personnel

  • Laboratory management not ensuring the competence and qualifications of all personnel who operate specific equipment, perform tests, evaluate test results and sign test reports. Lack of personnel undergoing training and providing appropriate supervision
  • Providing a training program policies and procedures for an effective training program that is appropriate; identification and review of training needs and the program’s effectiveness to demonstrate competence.
  • Lack of maintaining records of training actions taken, current job descriptions for managerial, technical and key support personnel involved in testing

5.4: Test and Calibration Methods and Method Validation

  • Utilization of appropriate laboratory methods and procedures for all testing within the labs scope; including sampling, handling, transport, storage and preparation of items being tested, and where appropriate, a procedure for an estimation of the measurement of uncertainty and statistical techniques for analysis
  • Up-to-date instructions on the use and operation of all relevant equipment, and on the handling and preparation of items for testing
  • Introduction laboratory-developed and non-standard methods and developing procedures prior to implementation.
  • Validating non-standard methods in accordance with the standard
  • Not completing appropriate checks in a systematic manner for calculations and data transfers

5.6: Measurement Traceability

  • Ensuring that equipment used has the associated measurement uncertainty needed for traceability of measurements to SI units or certified reference materials and completing intermediate checks needed according to a defined procedure and schedules.
  • Not having procedures for safe handling, transport, storage and use of reference standards and materials that prevent contamination or deterioration of its integrity.

5.10: Reporting the Results

  • Test reports not meeting the standard requirements, statements of compliance with accounting for uncertainty, not providing evidence for measurement traceability, inaccurately amending reports.

SOP-3: Use of the Logo

  • Inappropriate use of PJLA’s logo on the laboratories test reports and/or website.
  • Using the incorrect logo for the testing laboratory or using the logo without prior approval from PJLA.
HACCP

Hazard Analysis and Critical Control Points (HACCP) for the Cannabis Industry: Part 4

By Kathy Knutson, Ph.D.
No Comments
HACCP

In Part 3 of this series on HACCP, Critical Control Points (CCPs), validation of CCPs and monitoring of CCPs were defined. When a HACCP plan identifies the correct CCP, validates the CCP as controlling the hazard and monitors the CCP, a potential hazard is controlled in the manufacturing and packaging of cannabis-infused edibles. The food industry is big on documentation. If it’s not documented, it did not happen. The written hazard analysis, validation study and monitoring of CCPs create necessary records. It is these records that will prove to a customer, auditor or inspector that the edible is safe. Here in Part 4, more recordkeeping is added on for deviation from a CCP, verification and a recall plan. 

Take Corrective Action When There Is a Deviation from a Critical Control Point

Your food safety team conducts a hazard analysis, identifies CCPs and decides on monitoring devices, frequency and who is responsible for monitoring. You create an electronic or paper record of the monitoring for every batch of edible to document critical limits were met. Despite all your good efforts, something goes wrong. Maybe you lose power. Maybe the equipment jams. Nothing is perfect when dealing with ingredients, equipment and personnel. Poop happens. Because you are prepared before the deviation, your employees know what to do. With proper training, the line worker knows what to do with the equipment, the in-process product and who to inform. In most cases the product is put on hold for evaluation, and the equipment is fixed to keep running. The choices for the product include release, rework or destroy. Every action taken needs to be recorded on a corrective action form and documents attached to demonstrate the fate of the product on hold. All the product from the batch must be accounted for through documentation. If the batch size is 100 lb, then the fate of 100 lb must be documented.

Verify Critical Control Points Are Monitored and Effective

First, verification and validation are frequently confused by the best of food safety managers. Validation was discussed as part of determining CCPs in Part 3. Validation proves that following a CCP is the right method for safety. I call validation, “one and done.” Validation is done once for a CCP; while verification is ongoing at a CCP. For example, the time and temperature for effective milk pasteurization is very well known and dairies refer to the FDA Pasteurized Milk Ordinance. Dairies do not have to prove over and over that a combination of time and temperature is effective (validation), because that has been proven.

I encourage you to do as much as you can to prepare for a recall.A CCP is monitored to prove the safety parameters are met. Pasteurization is an example of the most commonly monitored parameters of time and temperature. At a kill step like pasteurization, the employee at that station is responsible for accurate monitoring of time and temperature. The company managers and owners should feel confident that CCPs have been identified and data are being recorded to prove safety. Verification is not done by the employee at the station but by a supervisor or manager. The employee at the station is probably not a member of the food safety team that wrote the HACCP plan, but the supervisor or manager that performs verification may be. Verification is proving that what was decided by the food safety team is actually implemented and consistently done.

Verification is abundant and can be very simple. First, every record associated with a CCP is reviewed by a supervisor or manager, i.e. someone who did not create the record. This can be a simple initial and date at the bottom of the record. Every corrective action form with its associated evaluation is verified in the same way. When HACCP plans are reviewed, that is verification. Verification activities include 1) testing the concentration of a sanitizer, 2) reviewing Certificates of Analysis from suppliers, 3) a review of the packaging label and 4) all chemical and microbiological testing of ingredients and product. The HACCP plan identifies CCPs. Verification confirms that implementation is running according to the plan.

Verification is like a parent who tells their child to clean their room. The child walks to their room and later emerges to state that the room is clean. The parent can believe the word of the child, if the child has been properly trained and has a history of successfully cleaning their room. At some frequency determined by the parent, the room will get a parental visual check. This is verification. In the food industry, CCP monitoring records and corrective action must be reviewed within seven days after the record is created and preferably before the food leaves the facility. Other verification activities are done in a timely manner as determined by the company.

Food processing and sanitation
Product recalls due to manufacturing errors in sanitation cause mistrust among consumers.

Write a Recall Plan

In the food industry, auditors and FDA inspectors require a written recall plan. Mock recalls are recommended and always provide learning and improvement to systems. Imagine your edible product contains sugar, and your sugar supplier notifies you that the sugar is recalled due to glass pieces. Since you are starting with the supplier, that is one step back. Your documentation of ingredients includes lot numbers, dates and quantity of sugar.You keep good records and they show you exactly how much of the recalled lot was received. Next you gather your batch records. Batches with the recalled sugar are identified, and the total amount of recalled sugar is reconciled. You label every batch of your edible with a lot code, and you identify the amount of each affected lot and the customer. You have a press release template in which you add the specific information about the recall and affected lots. You notify every customer where the affected edible was shipped with a plan to return or destroy the edible. When you notify your customers, you go one step forward.

How would your company do in this situation? I have witnessed the difficulties a company faces in a recall when I was brought in to investigate the source of a pathogen. Food safety people in my workshops who have worked through a recall tell me that it was the worst time of their life. I encourage you to do as much as you can to prepare for a recall. Here are two good resources:

Please comment on this blog post below. I love feedback!

Marijuana Matters

A Guide to Documentation and SOPs for Start Ups

By David C. Kotler, Esq.
2 Comments

As your company grows, or whether you want to have certain documentation to make an application for licensure and/or for outside entities looking to invest, it is necessary to handle issues from a documentation standpoint. Learning how to handle situations with staff through proper employee manuals and how to establish and practice standard operating procedures can help businesses avoid common pitfalls with a little forethought.

Beginning with standard operating procedures (SOPs), there are many resources available to get assistance in crafting them. You can consult with individuals such as safety content producers, business consultants, lawyers, technical writers, and even borrowing SOP writers from other industries. I am aware of a Connecticut producer who tapped pharmaceutical SOP writers as consultants with the focus of establishing their standard operating procedures. I am not convinced that there is any proper person or method by which an entity may want to consider an SOP. As a threshold, however, it is important that a proper format is created, i.e., simple steps, hierarchical steps format or perhaps even a flow chart format.

One would want to consider the audience who will be reading the SOP and the information to impart to that audience. It is also important to consider SOPs that you want to update as practices evolve or change.

It is possible to create SOPs internally, and frankly, this may be the most recommended route. If the SOPs are being used for guidance and not just to support the license application process, this is particularly important. It is a time-consuming task and if created from the inside out, it can be most effective.

It is possible to get lost in the minutia by documenting every step taken within a particular process. I have seen SOPs number in the hundreds just for cultivation and processing operations. One particular entity in Colorado created over 63 SOPs within the past year. If you are writing your own SOPs, it is important to understand the scope and applicability, i.e. why a particular process is performed and how it is used, then the procedures and/or steps that are necessary to accomplish that particular process, clarify any terms that are necessary so that the reader is able to follow the steps throughout a particular outline, cover health and safety issues, address equipment and supplies and provide emergency procedures.

The process that I can attest to as being fruitful is interplay between an employee who is actually responsible for a given task and a third party looking from a 1000-foot view. For instance, have the employee who completes a number of tasks within the organization provide a list of what they do on a general day-to-day basis. From that list, have the third party extrapolate what topics might be covered, often times borrowing from other well known standard operating procedures that are seen across industries and come up with a master list of the SOPs which are desired. It is important for the employee and third party to collaborate to finalize SOPs.

Employee guides or manuals provide information on benefits, when time sheets are due, paydays, holidays, vacation days, sick days and more. For employees, it helps mitigate risk by providing guidelines for conduct, discipline, and local practices in the states in which you operate. Employee guides are most effective when they are created to match your company’s needs. When it is tailored to your company, you are certain that the policies meet the laws of the places where your offices and employees are located. It allows you to provide input so you can ensure that you have developed policies that your company will follow. Unwritten policies are unwise as they may cause issues and can potentially lead to lawsuits. There are three types of multi-state employee guides: a guide with favored nations status, meaning that the most liberal laws in one location apply to the entire organization; an employment guide for each location in which you operate; or you can create one guide with a local practice section.

Creation of employee guides is a time consuming and arduous practice, but once completed, they help guide the relationship between employee and employer. Employees should review the employee manual and sign off upon receipt and review. This will serve to protect the employer in the future should an issue covered by the manual arise.

An effective employee guide might include (but certainly not be limited to) the following:

  • An “employment at will” disclaimer
  • An anti-harassment policy
  • An internal grievance procedure
  • Equal Employment Opportunity (EEO)
  • Employee benefits
  • Paid time off (vacation, personal days, sick leave)
  • Unpaid leaves of absence
  • Americans with Disabilities Act (ADA) (for employers with more than 15 employees)
  • Jury duty, military leave
  • Hours of work
  • Introductory/probationary period
  • Legally mandated language concerning pay deductions
  • Proper E-mail/Internet usage
  • Professionalism/dress code
  • Drugs in the workplace
  • Social media policy

There are many other policies that would be included in order to comply with requirements that might be mandated by a particular regulatory scheme i.e. security compliance. The guide should be a living, breathing document that evolves over time based on new knowledge, changes in laws and business fluidity.

Both standard operating procedures and employee manuals or guides are integral to the viability of a cannabis related business whether a hands on the plant license holder or an ancillary company. I encourage my clients to craft self-created content that they have invested their time and knowledge into, with some help where necessary. Purchasing forms online does not provide a workable format and will only lead to problems in the future. You get what you put in and creating these documents internally and from the ground up gives more control to the business.