Dude, Where's My Risk?
Blogs Mike Jacka, CIA, CPA, CPCU, CLU Oct 25, 2019
In 1970, I was 15 years old. (You do the math.) Contrary to what many of you out there believe/expect/insist, that means I wasn’t really a part of the 1960s counterculture. Add in the fact that I grew up in Arizona, where the definition of a liberal was someone who thought twice about voting for Barry Goldwater before going ahead and doing so, and there wasn’t much confluence between myself and the love generation.
But it had one major impact on me (besides thinking the Monkees represented the pinnacle of rock and roll). As someone looking forward to a great, big, beautiful tomorrow, I didn’t spend my time wondering why we didn’t have flying cars or people-movers or jet packs or transporters or honesty in government (you live through the Nixon years; you have some hope). Instead, I really wanted to know one, simple thing — where was legalized marijuana.
In the early 1970s, it was a foregone conclusion that such legalization was just around the corner. Well, that wasn’t the case. However, it looks like in spite of the dearth of success for the other aspirations we may have had for the future, the legalization of marijuana is happening before our very eyes.
Twenty-two states have approved the use of medical marijuana and an additional 11 states have approved recreational use. In addition, Canada has legalized its use, and a large number of countries are in various stages of decriminalization.
(Quick disclaimer: I am not an attorney, have not played one on TV, and really don’t particularly like most of the ones who advertise on TV. Accordingly, don’t use anything I say to make any decisions regarding the use of marijuana in various jurisdictions. I wouldn’t trust me and you shouldn’t either.)
The move toward legalization is having a serious impact on companies and organizations everywhere. Do a quick Google search, and you will see a plethora of articles about how organizations are trying to respond to this new risk. You will further see associations such as the Society for Human Resource Management, the National Safety Council, and Occupational Health and Safety providing their own interpretations of how organizations should respond.
(I typed in “How is legalized marijuana affecting the workplace” and found enough reading material to keep me busy until it is legalized in every state, every country, and every planet in the universe.)
So, here’s the question for every internal auditor: Do you have any idea how your organization is preparing for the potential risks related to legalization? In fact, let’s drop the word “potential.” With the widespread legalization that is occurring, that risk is “current.” Do you have any idea how your organization is preparing for the current risks related to legalization?
What are the organizational impacts on productivity, safety, determining impairment, consequences to employees, and issues arising from testing? Is there a written substance-abuse policy in place? Does it specifically address marijuana? Are employees being educated about the impacts and differences related to marijuana use? Are supervisors, managers, etc. trained to recognize the effects of marijuana use and how to approach potential issues? Are employees using medical marijuana treated differently than those using it recreationally?
And, more to the point, have you even thought to ask?
I may be wrong on this one, but I have not seen a whole lot of dialogue regarding this risk within the world of internal audit. Now, that doesn’t mean it isn’t being discussed. I’ll agree that the overall risk may not be as big as cybersecurity and some of our current bugaboos. But that doesn’t mean we should ignore it.
I’m not saying a full-blown audit. But, at the very least, have the discussion with those in charge of policies and make sure that someone/anyone is paying attention to this newly evolving risk.
And now, the broader point.
When you listen to the news, do you take a moment to think about how what you are hearing might impact your organization? Currently it is the discussion on the legalization of marijuana. In the past it is has included such areas as cybersecurity (there it is again), social media’s impact on reputation, and #metoo. Some of these became so big that boards were asking about them. But all of them are areas where internal audit, when first hearing the potential for risks, should have been quickly diving into the organization’s responses.
As the Beatles said, “I read the news today, oh boy.” And it is our responsibility to take that news and find its relevance to the issues and risks our organizations may face.