Policy Reviews May Prevent Disaster: Corporate Governance Grabs Spotlight in Post-Enron World

• Develop and implement strategies to ensure a company's survival and prosperity.
• Evaluate risks and make certain that effective control mechanisms are in place.
• Supervise the performance of executives.

Directors and officers have legal obligations to control the company. They must evaluate potential weak spots and see that effective corporate policies are in place to mitigate the risks. They must ensure that the company has adequate systems of internal control and accountability and that effective compliance programs have been adopted. Directors and officers are obligated to ensure that the company upholds the highest standards of ethical behavior.

• Compliance with laws, regulations, and accounting standards.
• Whistle blowing. These policies should address the obligations of employees to the company and its stakeholders with regard to reporting wrongdoing and also the protections against termination that employees have for doing so.
• Records retention and destruction, including how records should be categorized, how long each category of record should be retained, and what records can be destroyed at some point.
• Ethics and business practices.
• Sexual harassment.
• Confidential information and trade secret protection , including what steps employees must take to protect a company's confidential information and that of third parties.
• Internet and e-mail use.
• Privacy, including what legal obligations a company has in the absence of a privacy policy and whether that default position can be improved from the company's perspective by drafting a policy. Privacy policies should also address how such guidelines should be brought to the attention of customers.

To date, Canadian companies have not incurred the kind of fines and liabilities that U.S. regulators and courts have imposed on businesses. Laws that give rise to personal liability are well established in Canada, however. For example, the Investment Dealers Association of Canada fined the former president of Rampart Securities Inc. $125,000 in July and suspended him from employment with IDA member firms after the company was fined $3 million for sales compliance violations. The IDA said that the president of the company, along with other senior officers, failed to meet their responsibility to establish policies that met association requirements and to ensure that such policies were implemented.

• Consolidate all existing policies and eliminate duplication. Rather than providing a safety net in efforts to cover all possible scenarios, duplication instead creates confusion and inconsistency that can be exploited in a lawsuit.
• Develop a standard format and method of organization for policies. This makes policies easier to find, read, and amend as necessary to reflect changes in legislation and case law.
• Create internal consistency among present policies. Some polices must be detailed and lengthy, and procedures often must be specified as part of a given policy. This level of detail, however, increases the risk that internal inconsistencies will appear, such as the use of undefined jargon, improperly used terms, and procedures that contradict the intent of a policy.
• Ensure that all applicable legislation and regulations are followed.
• Develop a process for employee training. Policies that are not communicated to employees and implemented through training are ineffective. A company should not rely on such policies as a defense to a lawsuit, nor should it use such a policy to fire an employee who breaches it. Moreover, for employees to buy into company policies, they need to understand how corporate policies protect them as individuals and the company against liability.
• Identify gaps in policy and amend or draft new policies to address them.

Chris Koressis, a Canadian business lawyer, has served as in-house counsel to Royal Bank of Canada, CIBC, and GEAC. He can be reached at 416.720.1624 or by email at Chris.Koressis@Koressis.com