At an upcoming event that shall remain unnamed, several companies will be recognized for their GRC “achievements.”

This week, I spoke with one of the folks involved in selecting the honorees, and we spent 30 minutes comparing notes on the difficulty of identifying GRC efforts that qualify as “best practices” or even “leading” practices.

Ever since I (cringe) highlighted in print the ERM framework developed within a giant mortgage company that has since been acquired and renamed, I’ve made it my mission to sniff out any troubling issues within GRC case-study candidates before I proceed. I don’t want my subjects to Countrywide me.

Do you know what I’ve concluded from many months of exhaustive due diligence? It doesn’t take much to find potentially troubling issues in any company willing to talk about its GRC efforts.

I’ve found that some of the most impressive GRC efforts occur in:

• Companies that refuse to talk about these efforts because their GRC initiatives were motivated by the fact that they got into regulatory hot water;

• Companies in which other important functions – internal audit, for example – remain unaware and/or unimpressed by the GRC effort conducted in another part of the organization;

• Companies that nail the theory and framework of top-notch GRC and then drop the ball when it comes to execution;

• Companies experiencing compliance problems in other areas of the organization; and

• Companies whose leading GRC executives are uncomfortable discussing their efforts publicly because they see no value in doing so.

I’m curious: What do you think makes a GRC effort worthy as serving as a model? What components and qualities do you want to see in the GRC efforts featured in case studies? Please let me know … ###