A simple way to estimate cost of compliance

We hear a variety of objections that boil down to some form of “I’ll take my chances.” The statement implies that the cost of compliance with marijuana regulations is greater than the cost of non-compliance, but is that really true?

The answer, of course, is that it depends.

Cost of Compliance

The cost of compliance varies widely based on the size and risk tolerance of the business, but generally falls into two categories.

Internal Resources

Whether you have someone with “compliance” in their title or not, you are responsible for a wide variety of compliance tasks. The high-level responsibilities include understanding the regulations, executing standard operating procedures (SOPs), staying current on regulations and updating SOPs as necessary, training management and staff, meeting due diligence requirements, etc. In addition, there are many front-line responsibilities that vary based on the type of license and the position of the employee.

Add up the hours associated with those responsibilities and assign an hourly rate that accounts for your employee compensation. For compliance labor, I used 800 hours (16 hours per week for 50 weeks) and $30 per hour (salary of $52,000 plus benefits). Now add something to cover training and tools. That’s your internal cost of compliance.

External Resources

At least annually, an independent auditor should review your compliance operation. This auditor is not an employee of the company, so he provides the validation that your external stakeholders need. Such requests or demands usually come from regulators, banks, insurance companies, landlords, or investors. Individual audits run from $500-$5,000 based on complexity – number of licenses, number of locations, size of inventory, amount of sales volume, etc. Remediation costs can run several times the cost of the audit, which is how some businesses justify the expense of quarterly audits. It’s less expensive to catch problems while they are small or prevent them from occurring in the first place.

Let’s pick an audit fee in the middle, say $2,500, and then assume it will cost another $2,500 to have a consultant come in and fix the shortcomings that were identified in the audit. Add up the fees you pay to independent auditors and consultants over the course of a year. That’s your external cost of compliance.

Now we have a formula that looks something like this. I’ll make some assumptions so that we can see how the math works:

Cost of Compliance

Cost of Non-Compliance

Enforcement activity is increasing, particularly in the number of suspensions and fines. For this post, I reviewed all of the publicly available data from the state of Colorado’s Marijuana Enforcement Division. It includes state and local enforcement activity from 2011-2016. The highlights:

  • Fewer than 100 enforcement actions occurred in the three year period from 2011-2013. Given the large number of businesses approved for marijuana licenses, this is barely a whiff of activity. It opened the door for businesses to adopt a very loose compliance profile.
  • Nearly 700 enforcement actions occurred in the three year period from 2014-2016. Clearly, it takes time for the government to determine how it is going to enforce its regulations, fund that enforcement effort, and then go do it. The sharp jump in effort caught many businesses off-guard.
  • While the average fine was just $8,500, the largest was $150,000. In many cases, authorities suspended or revoked licenses. Bottom line, businesses with loose compliance profiles had to re-think their risk management strategies.

Let’s use probabilities to turn that information into dollar figures. For example, we know from the 2016 data that 79 of the roughly 1,000 businesses received a fine. We can use that as a baseline to say there is a 7.9% probability of receiving a fine going forward. Similarly, we calculate the probability of a suspension at 9.4% and of a revocation at 2.7%. Keep in mind, however, recent news reports suggest enforcement is on the rise in 2017.

If you have revenue of $25,000 per week, a suspended license costs you $50,000 (two-week suspension) and a revoked license costs you $1.3 million. Obviously, a revoked license means you lose that revenue forever and not just for the year, but I’m trying to get to an annual figure.

Cost of Non-Compliance

Now we compare the cost of compliance at $33,000 per year to the cost of non-compliance at $40,472. Divide one into the other and you get a ratio of 0.82. It means your investment in compliance is running at 82% of your expected cost. The data is insufficient to provide a statistically reliable range of “healthy” ratios, but common sense suggests “healthy” is probably somewhere within 80%-120% of your expected compliance cost. Risk takers run closer to 80%; risk averse businesses run closer to 120%.


My simplistic formula shows how you can take some of the subjectivity out of your risk management strategy. It’s a guideline that helps you decide whether you are investing proportionately in compliance resources – people, process, and technology.

To be completely transparent, I should point out two obvious shortcomings.

  1. There are other reasons to invest in compliance than just trying to avoid an enforcement action. Businesses that include trust and security as part of their branding, for example, often invest more in compliance and it is justified by market position rather than any fear of a penalty.
  2. The other shortcoming is the data, both in quantity and quality. Local jurisdictions must report enforcement activity to the state, but do so inconsistently and in different formats. The state is required to aggregate data from local jurisdictions with its own to produce a comprehensive report, which it does, but only once a year in January. Most importantly, the criteria for fines, suspensions, and revocations – if they even exist – are not publicly available. As a result, businesses in Colorado do not have the information needed to prioritize resources in the areas most likely to trigger enforcement actions.

That said, there’s no excuse for not trying. The point of this exercise is that you can make your own assumptions and plug in your own data. What is your cost of compliance? How does it compare to your cost of [potential] non-compliance? Is your investment ratio appropriate for your risk profile? The only wrong answer is the one that comes from not trying, and it usually sounds like “I’ll take my chances”!

Leave a comment