Corporate Policies in a Post-Enron

About Us

The following article on "Corporate Policies in a Post-Enron World" was written by Chris Koressis, a Canadian business lawyer who has served as in-house counsel to Royal Bank of Canada, Canadian Imperial Bank of Commerce, and GEAC Computer Corporation. Chris Koressis has practical experience on the legal and business risks, and the opportunities, vital to the success of any company. The article first appeared in The Journal of Corporate Renewal. Chris Koressis was also quoted by Lexpert and Edge Magazine on corporate governance and corporate policies. He also was a speaker on this topic again at the Enterprise Risk Management and Control Self Assessment Conference of the Institute of Internal Auditors. Chris Koressis also led the Legal Pitfalls roundtable at this conference.

Policy Reviews May Prevent Disaster: Corporate Governance Grabs Spotlight in Post-Enron World

Events at such corporate giants as Enron, Nortel, Tyco, and WorldCom have highlighted the importance of proper corporate governance and the necessity for a Code of Business Ethics. No company is immune from the possibility of an Enron-like disaster. Companies should ask if their current corporate policies are enough to protect individuals and the company from liability. Does everyone within the company, public or private, large or small, understand that he or she can make a difference in preventing a disaster?

A company without proper corporate policies in place faces significant legal, regulatory, and business risks, including crippling lawsuits, governmental investigations, loss of goodwill, and personal liability on the part of managers and employees. Claims start to fly when a company suffers losses or damages because of wrongful or unauthorized actions by its employees.

By themselves, corporate policies cannot prevent every potential misstep. If they are properly implemented, however, appropriate policies can lessen the likelihood that such problems will develop, and they can also provide a defense if misdeeds by employees result in lawsuits against a company.

Corporate governance refers to overseeing and directing a company. It entails supervising and contributing to the executive functions of management and being accountable for the company's affairs to its shareholders, employees, customers, suppliers, regulators, and the community. Corporate governance obliges directors and officers of a company to:

  • Develop and implement strategies to ensure a company's survival and prosperity.
  • Evaluate risks and make certain that effective control mechanisms are in place.
  • Supervise the performance of executives.

Directors and officers have legal obligations to control the company. They must evaluate potential weak spots and see that effective corporate policies are in place to mitigate the risks. They must ensure that the company has adequate systems of internal control and accountability and that effective compliance programs have been adopted. Directors and officers are obligated to ensure that the company upholds the highest standards of ethical behavior.

If properly drafted and disseminated, corporate policies can protect a company from liability. Good policies serve as defenses to lawsuits or governmental investigations and also provide a company with legally defensible grounds to terminate employees who breach its guidelines.

Effective corporate policies must be carefully drafted to cover all required subjects without leaving legal loopholes. At the same time, all employees must be able to understand them. Effective corporate policies must reflect the global nature of a company's operations. In other words, policies must be flexible enough to take into account differences in culture and customs of foreign countries within which a company operates.

Subjects that should be addressed by corporate policies include:

  • Compliance with laws, regulations, and accounting standards.
  • Whistle blowing. These policies should address the obligations of employees to the company and its stakeholders with regard to reporting wrongdoing and also the protections against termination that employees have for doing so.
  • Records retention and destruction, including how records should be categorized, how long each category of record should be retained, and what records can be destroyed at some point.
  • Ethics and business practices.
  • Sexual harassment.
  • Confidential information and trade secret protection , including what steps employees must take to protect a company's confidential information and that of third parties.
  • Use of the Internet, social media, e-mail and other electronic messaging.
  • Privacy, including what legal obligations a company has in the absence of a privacy policy and whether that default position can be improved from the company's perspective by drafting a policy. Privacy policies should also address how such guidelines should be brought to the attention of customers.

The President of any company, along with other senior officers and the Board of Directors, have the responsibility to establish policies that are tailored to the reasonable requirements of their business. And they need to take reasonable steps to ensure that such policies are implemented and enforced.

A firm commitment to a corporate code of ethics serves as a foundation for the activities of the company and its employees. It sets standards for acceptable behavior and performance and sends a strong signal to investors, employees, customers, suppliers, and regulators that the company is serious about principled behavior. It can forestall questionable practices and prevent the need for regulatory intervention, and it makes the company more attractive for financing and for mergers and acquisitions.

Policy Tune-up

Companies should review their policies from time to time to ensure that they are up-to-date and address all legitimate issues. However, here are seven steps that companies should consider taking immediately with regard to their policies:

  • Consolidate all existing policies and eliminate duplication. Rather than providing a safety net in efforts to cover all possible scenarios, duplication instead creates confusion and inconsistency that can be exploited in a lawsuit.
  • Develop a standard format and method of organization for policies. This makes policies easier to find, read, and amend as necessary to reflect changes in legislation and case law.
  • Create internal consistency among present policies. Some polices must be detailed and lengthy, and procedures often must be specified as part of a given policy. This level of detail, however, increases the risk that internal inconsistencies will appear, such as the use of undefined jargon, improperly used terms, and procedures that contradict the intent of a policy.
  • Ensure that all applicable legislation and regulations are followed.
  • Develop a process for employee training. Policies that are not communicated to employees and implemented through training are ineffective. A company should not rely on such policies as a defense to a lawsuit, nor should it use such a policy to fire an employee who breaches it. Moreover, for employees to buy into company policies, they need to understand how corporate policies protect them as individuals and the company against liability.
  • Identify gaps in policy and amend or draft new policies to address them.

The integrity of an organization ultimately depends on the character of its employees, from the top down. Corporate policies will not prevent a dishonest officer or employee from engaging in fraud or other misdeeds. They will, however, make a company more attractive to its stakeholders and help it avoid potential liability.

Chris Koressis, a Canadian business lawyer, has served as in-house counsel to Royal Bank of Canada, CIBC, and GEAC. He can be reached at 416.720.1624 or by email at

We welcome any suggestions or questions that you may have. Please send email to:
Copyright 2002-2014